From 430d327bd0bf8113bfab204e8e3305e17d23c787 Mon Sep 17 00:00:00 2001 From: kaedwen Date: Fri, 7 Jul 2023 12:45:40 +0200 Subject: [PATCH 001/135] add specific sops error handling with status code Signed-off-by: kaedwen --- cmd/sops/main.go | 2 ++ sops.go | 17 ++++++++++++----- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/cmd/sops/main.go b/cmd/sops/main.go index 2deea8671..ca75d6281 100644 --- a/cmd/sops/main.go +++ b/cmd/sops/main.go @@ -1006,6 +1006,8 @@ func toExitError(err error) error { return cliErr } else if execErr, ok := err.(*osExec.ExitError); ok && execErr != nil { return cli.NewExitError(err, execErr.ExitCode()) + } else if sopsErr, ok := err.(*sops.SopsError); ok && sopsErr != nil { + return cli.NewExitError(err, sopsErr.ExitCode()) } else if err != nil { return cli.NewExitError(err, codes.ErrorGeneric) } diff --git a/sops.go b/sops.go index a6caa0df8..09d0eee07 100644 --- a/sops.go +++ b/sops.go @@ -58,17 +58,24 @@ import ( // DefaultUnencryptedSuffix is the default suffix a TreeItem key has to end with for sops to leave its Value unencrypted const DefaultUnencryptedSuffix = "_unencrypted" -type sopsError string +type SopsError struct { + exitCode int + message string +} + +func (e SopsError) ExitCode() int { + return e.exitCode +} -func (e sopsError) Error() string { - return string(e) +func (e SopsError) Error() string { + return e.message } // MacMismatch occurs when the computed MAC does not match the expected ones -const MacMismatch = sopsError("MAC mismatch") +var MacMismatch = &SopsError{10, "MAC mismatch"} // MetadataNotFound occurs when the input file is malformed and doesn't have sops metadata in it -const MetadataNotFound = sopsError("sops metadata not found") +var MetadataNotFound = &SopsError{11, "sops metadata not found"} var log *logrus.Logger From 4125f2dc8e516093337c68c1ece1065a77637cf5 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 11 Jul 2023 21:38:58 +0200 Subject: [PATCH 002/135] Delete obsolete `validation/` artifact This appears to be a 7 year old, unmaintained, unused, artifact from around the time things were still written in Python. As observed earlier in #1234. As this now actively triggers a security warning due to an outdated dependency, remove it. Signed-off-by: Hidde Beydals --- validation/Cargo.toml | 8 ---- validation/example.json | 25 ---------- validation/example.yaml | 15 ------ validation/src/main.rs | 102 ---------------------------------------- 4 files changed, 150 deletions(-) delete mode 100644 validation/Cargo.toml delete mode 100644 validation/example.json delete mode 100644 validation/example.yaml delete mode 100644 validation/src/main.rs diff --git a/validation/Cargo.toml b/validation/Cargo.toml deleted file mode 100644 index 77e7ae990..000000000 --- a/validation/Cargo.toml +++ /dev/null @@ -1,8 +0,0 @@ -[package] -name = "validation" -version = "0.1.0" -authors = ["Adrian Utrilla "] - -[dependencies] -serde_json = "0.8.0" -yaml-rust = "0.3.3" diff --git a/validation/example.json b/validation/example.json deleted file mode 100644 index 0210f11c0..000000000 --- a/validation/example.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "glossary": { - "title": "example glossary", - "GlossDiv": { - "title": "S", - "GlossList": { - "GlossEntry": { - "ID": "SGML", - "SortAs": "SGML", - "GlossTerm": "Standard Generalized Markup Language", - "Acronym": "SGML", - "Abbrev": "ISO 8879:1986", - "GlossDef": { - "para": "A meta-markup language, used to create markup languages such as DocBook.", - "GlossSeeAlso": [ - "GML", - "XML" - ] - }, - "GlossSee": "markup" - } - } - } - } -} diff --git a/validation/example.yaml b/validation/example.yaml deleted file mode 100644 index 3dc91d024..000000000 --- a/validation/example.yaml +++ /dev/null @@ -1,15 +0,0 @@ -name: Martin -job: Developer -skill: Elite -foods: - - Apple - - Orange - - Strawberry - - Mango -languages: - perl: Elite - python: Elite - pascal: Lame -foo: | - bar - baz diff --git a/validation/src/main.rs b/validation/src/main.rs deleted file mode 100644 index 46035c882..000000000 --- a/validation/src/main.rs +++ /dev/null @@ -1,102 +0,0 @@ -use std::rc::Rc; -use std::process::{Stdio, Command}; -use std::io::{Write, Read}; -use std::fs::{OpenOptions, File}; -use std::str; -use std::env; -extern crate serde_json; - -use serde_json::Value; - -extern crate yaml_rust; -use yaml_rust::{YamlLoader, YamlEmitter}; - -fn main() {} - -fn run_sops_and_return_output(command: &mut Command, filename: &str) -> String { - let mut child = command.stdout(Stdio::piped()) - .arg(filename) - .spawn() - .expect("Could not start sops python process"); - let output = child.wait_with_output().expect("Could not retrieve sops's output"); - if !output.status.success() { - panic!("sops did not exit successfully!"); - } - return String::from_utf8(output.stdout).expect("Could not decode sops's output as utf-8"); -} - -fn get_sops_python() -> Command { - let sops_python_path = env::var("SOPS_PYTHON_PATH") - .expect("SOPS_PYTHON_PATH environment variable missing"); - let mut cmd = Command::new("python"); - cmd.arg(sops_python_path); - cmd -} - -fn encrypt_with_sops_python(plaintext: &str) -> String { - let mut child = get_sops_python(); - let child = child.arg("-e"); - return run_sops_and_return_output(child, plaintext); -} - -fn decrypt_with_sops_python(ciphertext: &str) -> String { - let mut child = get_sops_python(); - let child = child.arg("-d"); - return run_sops_and_return_output(child, ciphertext); -} - -fn validate_json_file(input_file_name: &str, - encrypt: fn(&str) -> String, - decrypt: fn(&str) -> String) { - let output_file_name = "temp.json"; - let mut input = String::new(); - File::open(input_file_name).unwrap().read_to_string(&mut input); - let input_value: Value = serde_json::from_str(&input).expect("Could not decode input json"); - let encrypted_output = encrypt(input_file_name); - let mut output_file = OpenOptions::new() - .write(true) - .create(true) - .open(output_file_name) - .expect("Could not open output file"); - output_file.write_all(encrypted_output.as_bytes()).expect("Could not write to output file"); - let decryption = decrypt(output_file_name); - let output_value: Value = serde_json::from_str(&decryption).unwrap(); - std::fs::remove_file(output_file_name).expect("Could not remove output file"); - assert_eq!(input_value, output_value); -} - -fn validate_yaml_file(input_file_name: &str, - encrypt: fn(&str) -> String, - decrypt: fn(&str) -> String) { - let output_file_name = "temp.yaml"; - let mut input = String::new(); - File::open(input_file_name).unwrap().read_to_string(&mut input); - let input_value = YamlLoader::load_from_str(&input).expect("Could not decode input yaml"); - let encrypted_output = encrypt(input_file_name); - let mut output_file = OpenOptions::new() - .write(true) - .create(true) - .open(output_file_name) - .expect("Could not open output file"); - output_file.write_all(encrypted_output.as_bytes()).expect("Could not write to output file"); - let decryption = decrypt(output_file_name); - let output_value = YamlLoader::load_from_str(&decryption) - .expect("Could not decode output yaml"); - std::fs::remove_file(output_file_name).expect("Could not remove output file"); - assert_eq!(input_value, output_value); -} - -#[test] -fn validate_python_json() { - validate_json_file("example.json", - encrypt_with_sops_python, - decrypt_with_sops_python); -} - - -#[test] -fn validate_python_yaml() { - validate_yaml_file("example.yaml", - encrypt_with_sops_python, - decrypt_with_sops_python); -} From 2267fddfce199370fa2081ea494541ee078d4494 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 11 Jul 2023 22:13:03 +0200 Subject: [PATCH 003/135] gcpkms: allow use of Google default credentials By addressing the bug in the introduced logic around the `GOOGLE_CREDENTIALS` environment variable. The variable is now only taken into account when set, and actually containing a value. Signed-off-by: Hidde Beydals --- gcpkms/keysource.go | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/gcpkms/keysource.go b/gcpkms/keysource.go index d549b32b8..49446ebe7 100644 --- a/gcpkms/keysource.go +++ b/gcpkms/keysource.go @@ -217,7 +217,7 @@ func (key *MasterKey) newKMSClient() (*kms.KeyManagementClient, error) { return nil, err } if credentials != nil { - opts = append(opts, option.WithCredentialsJSON(key.credentialJSON)) + opts = append(opts, option.WithCredentialsJSON(credentials)) } } if key.grpcConn != nil { @@ -238,9 +238,11 @@ func (key *MasterKey) newKMSClient() (*kms.KeyManagementClient, error) { // JSON format. It returns an error if the file cannot be read, and may return // a nil byte slice if no value is set. func getGoogleCredentials() ([]byte, error) { - defaultCredentials := os.Getenv(SopsGoogleCredentialsEnv) - if _, err := os.Stat(defaultCredentials); err == nil { - return os.ReadFile(defaultCredentials) + if defaultCredentials, ok := os.LookupEnv(SopsGoogleCredentialsEnv); ok && len(defaultCredentials) > 0 { + if _, err := os.Stat(defaultCredentials); err == nil { + return os.ReadFile(defaultCredentials) + } + return []byte(defaultCredentials), nil } - return []byte(defaultCredentials), nil + return nil, nil } From 565cf5236713209e1e8ef5dfb21fff5080fa3417 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Mon, 18 Jul 2022 20:10:52 +0000 Subject: [PATCH 004/135] Revert intro of `WithError` for most key sources Most of the rewritten key sources introduced `WithError` calls, which does not appear to go well with the UX of the CLI. This reverts it to be the semi equal to current `master`. During the diff, I noticed the current age implementation in master does make use of `WithError`. Which makes me wonder if errors are not returned twice at present in the CLI. Signed-off-by: Hidde Beydals --- age/keysource.go | 16 ++++++++-------- gcpkms/keysource.go | 14 +++++++------- hcvault/keysource.go | 12 ++++++------ kms/keysource.go | 10 +++++----- pgp/keysource.go | 4 ++-- 5 files changed, 28 insertions(+), 28 deletions(-) diff --git a/age/keysource.go b/age/keysource.go index d05431383..8e64e0f09 100644 --- a/age/keysource.go +++ b/age/keysource.go @@ -124,7 +124,7 @@ func (key *MasterKey) Encrypt(dataKey []byte) error { if key.parsedRecipient == nil { parsedRecipient, err := parseRecipient(key.Recipient) if err != nil { - log.WithError(err).WithField("recipient", key.parsedRecipient).Error("Encryption failed") + log.WithField("recipient", key.parsedRecipient).Error("Encryption failed") return err } key.parsedRecipient = parsedRecipient @@ -134,19 +134,19 @@ func (key *MasterKey) Encrypt(dataKey []byte) error { aw := armor.NewWriter(&buffer) w, err := age.Encrypt(aw, key.parsedRecipient) if err != nil { - log.WithError(err).WithField("recipient", key.parsedRecipient).Error("Encryption failed") + log.WithField("recipient", key.parsedRecipient).Error("Encryption failed") return fmt.Errorf("failed to create writer for encrypting sops data key with age: %w", err) } if _, err := w.Write(dataKey); err != nil { - log.WithError(err).WithField("recipient", key.parsedRecipient).Error("Encryption failed") + log.WithField("recipient", key.parsedRecipient).Error("Encryption failed") return fmt.Errorf("failed to encrypt sops data key with age: %w", err) } if err := w.Close(); err != nil { - log.WithError(err).WithField("recipient", key.parsedRecipient).Error("Encryption failed") + log.WithField("recipient", key.parsedRecipient).Error("Encryption failed") return fmt.Errorf("failed to close writer for encrypting sops data key with age: %w", err) } if err := aw.Close(); err != nil { - log.WithError(err).WithField("recipient", key.parsedRecipient).Error("Encryption failed") + log.WithField("recipient", key.parsedRecipient).Error("Encryption failed") return fmt.Errorf("failed to close armored writer: %w", err) } @@ -180,7 +180,7 @@ func (key *MasterKey) Decrypt() ([]byte, error) { if len(key.parsedIdentities) == 0 { ids, err := key.loadIdentities() if err != nil { - log.WithError(err).Error("Decryption failed") + log.Error("Decryption failed") return nil, fmt.Errorf("failed to load age identities: %w", err) } ids.ApplyToMasterKey(key) @@ -190,13 +190,13 @@ func (key *MasterKey) Decrypt() ([]byte, error) { ar := armor.NewReader(src) r, err := age.Decrypt(ar, key.parsedIdentities...) if err != nil { - log.WithError(err).Error("Decryption failed") + log.Error("Decryption failed") return nil, fmt.Errorf("failed to create reader for decrypting sops data key with age: %w", err) } var b bytes.Buffer if _, err := io.Copy(&b, r); err != nil { - log.WithError(err).Error("Decryption failed") + log.Error("Decryption failed") return nil, fmt.Errorf("failed to copy age decrypted data into bytes.Buffer: %w", err) } diff --git a/gcpkms/keysource.go b/gcpkms/keysource.go index 49446ebe7..f165fe2ea 100644 --- a/gcpkms/keysource.go +++ b/gcpkms/keysource.go @@ -94,12 +94,12 @@ func (c CredentialJSON) ApplyToMasterKey(key *MasterKey) { func (key *MasterKey) Encrypt(dataKey []byte) error { service, err := key.newKMSClient() if err != nil { - log.WithError(err).WithField("resourceID", key.ResourceID).Error("Encryption failed") + log.WithField("resourceID", key.ResourceID).Error("Encryption failed") return fmt.Errorf("cannot create GCP KMS service: %w", err) } defer func() { if err := service.Close(); err != nil { - log.WithError(err).Error("failed to close GCP KMS client connection") + log.Error("failed to close GCP KMS client connection") } }() @@ -110,7 +110,7 @@ func (key *MasterKey) Encrypt(dataKey []byte) error { ctx := context.Background() resp, err := service.Encrypt(ctx, req) if err != nil { - log.WithError(err).WithField("resourceID", key.ResourceID).Error("Encryption failed") + log.WithField("resourceID", key.ResourceID).Error("Encryption failed") return fmt.Errorf("failed to encrypt sops data key with GCP KMS key: %w", err) } // NB: base64 encoding is for compatibility with SOPS <=3.8.x. @@ -145,12 +145,12 @@ func (key *MasterKey) EncryptIfNeeded(dataKey []byte) error { func (key *MasterKey) Decrypt() ([]byte, error) { service, err := key.newKMSClient() if err != nil { - log.WithError(err).WithField("resourceID", key.ResourceID).Error("Decryption failed") + log.WithField("resourceID", key.ResourceID).Error("Decryption failed") return nil, fmt.Errorf("cannot create GCP KMS service: %w", err) } defer func() { if err := service.Close(); err != nil { - log.WithError(err).Error("failed to close GCP KMS client connection") + log.Error("failed to close GCP KMS client connection") } }() @@ -158,7 +158,7 @@ func (key *MasterKey) Decrypt() ([]byte, error) { // client used to work with base64 encoded strings. decodedCipher, err := base64.StdEncoding.DecodeString(string(key.EncryptedDataKey())) if err != nil { - log.WithError(err).WithField("resourceID", key.ResourceID).Error("Decryption failed") + log.WithField("resourceID", key.ResourceID).Error("Decryption failed") return nil, err } @@ -169,7 +169,7 @@ func (key *MasterKey) Decrypt() ([]byte, error) { ctx := context.Background() resp, err := service.Decrypt(ctx, req) if err != nil { - log.WithError(err).WithField("resourceID", key.ResourceID).Error("Decryption failed") + log.WithField("resourceID", key.ResourceID).Error("Decryption failed") return nil, fmt.Errorf("failed to decrypt sops data key with GCP KMS key: %w", err) } diff --git a/hcvault/keysource.go b/hcvault/keysource.go index a1e1736e1..f071030ad 100644 --- a/hcvault/keysource.go +++ b/hcvault/keysource.go @@ -130,18 +130,18 @@ func (key *MasterKey) Encrypt(dataKey []byte) error { client, err := vaultClient(key.VaultAddress, key.token) if err != nil { - log.WithError(err).WithField("Path", fullPath).Error("Encryption failed") + log.WithField("Path", fullPath).Error("Encryption failed") return err } secret, err := client.Logical().Write(fullPath, encryptPayload(dataKey)) if err != nil { - log.WithError(err).WithField("Path", fullPath).Error("Encryption failed") + log.WithField("Path", fullPath).Error("Encryption failed") return fmt.Errorf("failed to encrypt sops data key to Vault transit backend '%s': %w", fullPath, err) } encryptedKey, err := encryptedKeyFromSecret(secret) if err != nil { - log.WithError(err).WithField("Path", fullPath).Error("Encryption failed") + log.WithField("Path", fullPath).Error("Encryption failed") return fmt.Errorf("failed to encrypt sops data key to Vault transit backend '%s': %w", fullPath, err) } @@ -175,18 +175,18 @@ func (key *MasterKey) Decrypt() ([]byte, error) { client, err := vaultClient(key.VaultAddress, key.token) if err != nil { - log.WithError(err).WithField("Path", fullPath).Error("Decryption failed") + log.WithField("Path", fullPath).Error("Decryption failed") return nil, err } secret, err := client.Logical().Write(fullPath, decryptPayload(key.EncryptedKey)) if err != nil { - log.WithError(err).WithField("Path", fullPath).Error("Decryption failed") + log.WithField("Path", fullPath).Error("Decryption failed") return nil, fmt.Errorf("failed to decrypt sops data key from Vault transit backend '%s': %w", fullPath, err) } dataKey, err := dataKeyFromSecret(secret) if err != nil { - log.WithError(err).WithField("Path", fullPath).Error("Decryption failed") + log.WithField("Path", fullPath).Error("Decryption failed") return nil, fmt.Errorf("failed to decrypt sops data key from Vault transit backend '%s': %w", fullPath, err) } diff --git a/kms/keysource.go b/kms/keysource.go index 8ce11ff4c..d1e407f82 100644 --- a/kms/keysource.go +++ b/kms/keysource.go @@ -194,7 +194,7 @@ func (c CredentialsProvider) ApplyToMasterKey(key *MasterKey) { func (key *MasterKey) Encrypt(dataKey []byte) error { cfg, err := key.createKMSConfig() if err != nil { - log.WithError(err).WithField("arn", key.Arn).Error("Encryption failed") + log.WithField("arn", key.Arn).Error("Encryption failed") return err } client := kms.NewFromConfig(*cfg) @@ -205,7 +205,7 @@ func (key *MasterKey) Encrypt(dataKey []byte) error { } out, err := client.Encrypt(context.TODO(), input) if err != nil { - log.WithError(err).WithField("arn", key.Arn).Error("Encryption failed") + log.WithField("arn", key.Arn).Error("Encryption failed") return fmt.Errorf("failed to encrypt sops data key with AWS KMS: %w", err) } key.EncryptedKey = base64.StdEncoding.EncodeToString(out.CiphertextBlob) @@ -237,12 +237,12 @@ func (key *MasterKey) SetEncryptedDataKey(enc []byte) { func (key *MasterKey) Decrypt() ([]byte, error) { k, err := base64.StdEncoding.DecodeString(key.EncryptedKey) if err != nil { - log.WithError(err).WithField("arn", key.Arn).Error("Decryption failed") + log.WithField("arn", key.Arn).Error("Decryption failed") return nil, fmt.Errorf("error base64-decoding encrypted data key: %s", err) } cfg, err := key.createKMSConfig() if err != nil { - log.WithError(err).WithField("arn", key.Arn).Error("Decryption failed") + log.WithField("arn", key.Arn).Error("Decryption failed") return nil, err } client := kms.NewFromConfig(*cfg) @@ -253,7 +253,7 @@ func (key *MasterKey) Decrypt() ([]byte, error) { } decrypted, err := client.Decrypt(context.TODO(), input) if err != nil { - log.WithError(err).WithField("arn", key.Arn).Error("Decryption failed") + log.WithField("arn", key.Arn).Error("Decryption failed") return nil, fmt.Errorf("failed to decrypt sops data key with AWS KMS: %w", err) } log.WithField("arn", key.Arn).Info("Decryption succeeded") diff --git a/pgp/keysource.go b/pgp/keysource.go index c82b4245a..2adf0c6f8 100644 --- a/pgp/keysource.go +++ b/pgp/keysource.go @@ -268,7 +268,7 @@ func (key *MasterKey) Encrypt(dataKey []byte) error { } errs = append(errs, fmt.Errorf("GnuPG binary error: %w", binaryErr)) - log.WithError(errs).WithField("fingerprint", key.Fingerprint).Error("Encryption failed") + log.WithField("fingerprint", key.Fingerprint).Error("Encryption failed") return fmt.Errorf("could not encrypt data key with PGP key: %w", errs) } @@ -379,7 +379,7 @@ func (key *MasterKey) Decrypt() ([]byte, error) { } errs = append(errs, fmt.Errorf("GnuPG binary error: %w", binaryErr)) - log.WithError(errs).WithField("fingerprint", key.Fingerprint).Error("Decryption failed") + log.WithField("fingerprint", key.Fingerprint).Error("Decryption failed") return nil, fmt.Errorf("could not decrypt data key with PGP key: %w", errs) } From 2957fe91b5bf9acd44e57f7709d6a040dbe5af2b Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 11 Jul 2023 21:09:23 +0200 Subject: [PATCH 005/135] Rename Go module to `github.com/getsops/sops/v3` This commit renames the Go module from `go.mozilla.org/sops/v3` to `github.com/getsops/sops/v3` without a major version bump, to align with new stewardship. For more information around this change, refer to https://github.com/getsops/sops/issues/1246. For a one-liner to change the `go.mod` and any import paths in your Go project making use of this module, run: ``` find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \; find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i '' 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \; ``` Signed-off-by: Hidde Beydals --- .github/workflows/release.yml | 10 ++-- CONTRIBUTING.md | 4 +- Dockerfile | 4 +- Dockerfile.alpine | 4 +- Makefile | 18 ++++---- README.rst | 12 ++--- aes/cipher.go | 6 +-- aes/cipher_test.go | 2 +- age/keysource.go | 2 +- audit/audit.go | 2 +- azkv/keysource.go | 6 +-- cmd/sops/common/common.go | 22 ++++----- cmd/sops/decrypt.go | 8 ++-- cmd/sops/edit.go | 10 ++-- cmd/sops/encrypt.go | 10 ++-- cmd/sops/main.go | 48 ++++++++++---------- cmd/sops/rotate.go | 12 ++--- cmd/sops/set.go | 8 ++-- cmd/sops/subcommand/exec/exec.go | 2 +- cmd/sops/subcommand/groups/add.go | 6 +-- cmd/sops/subcommand/groups/delete.go | 6 +-- cmd/sops/subcommand/keyservice/keyservice.go | 4 +- cmd/sops/subcommand/publish/publish.go | 16 +++---- cmd/sops/subcommand/updatekeys/updatekeys.go | 8 ++-- config/config.go | 20 ++++---- decrypt/decrypt.go | 8 ++-- decrypt/example_test.go | 2 +- gcpkms/keysource.go | 4 +- go.mod | 2 +- hcvault/keysource.go | 2 +- keyservice/keyservice.go | 14 +++--- keyservice/server.go | 12 ++--- kms/keysource.go | 6 +-- make_download_page.sh | 4 +- pgp/keysource.go | 6 +-- publish/vault.go | 2 +- sops.go | 18 ++++---- stores/dotenv/store.go | 6 +-- stores/dotenv/store_test.go | 2 +- stores/ini/store.go | 6 +-- stores/ini/store_test.go | 2 +- stores/json/store.go | 6 +-- stores/json/store_test.go | 2 +- stores/stores.go | 14 +++--- stores/yaml/store.go | 6 +-- stores/yaml/store_test.go | 2 +- version/version.go | 2 +- 47 files changed, 189 insertions(+), 189 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 86e2ac112..3f1d5f41a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -35,17 +35,17 @@ jobs: - name: Set RELEASE_NUMBER run: echo "RELEASE_NUMBER=$(echo $RELEASE_VERSION | cut -c2-)" >> $GITHUB_ENV - name: Build linux amd64 binary - run: GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.linux.amd64 go.mozilla.org/sops/v3/cmd/sops && cp dist/sops-${{ env.RELEASE_VERSION }}.linux.amd64 dist/sops-${{ env.RELEASE_VERSION }}.linux + run: GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.linux.amd64 github.com/getsops/sops/v3/cmd/sops && cp dist/sops-${{ env.RELEASE_VERSION }}.linux.amd64 dist/sops-${{ env.RELEASE_VERSION }}.linux - name: Build linux arm64 binary - run: GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.linux.arm64 go.mozilla.org/sops/v3/cmd/sops + run: GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.linux.arm64 github.com/getsops/sops/v3/cmd/sops - name: Build darwin amd64 binary - run: GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.darwin.amd64 go.mozilla.org/sops/v3/cmd/sops + run: GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.darwin.amd64 github.com/getsops/sops/v3/cmd/sops - name: Copy darwin amd64 to have a no-architecture labeled version run: cp dist/sops-${{ env.RELEASE_VERSION }}.darwin.amd64 dist/sops-${{ env.RELEASE_VERSION }}.darwin - name: Build darwin arm64 binary - run: GOOS=darwin GOARCH=arm64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.darwin.arm64 go.mozilla.org/sops/v3/cmd/sops + run: GOOS=darwin GOARCH=arm64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.darwin.arm64 github.com/getsops/sops/v3/cmd/sops - name: Build windows binary - run: GOOS=windows CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.exe go.mozilla.org/sops/v3/cmd/sops + run: GOOS=windows CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.exe github.com/getsops/sops/v3/cmd/sops - name: Create release uses: "mozilla/action-automatic-releases@latest" with: diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 05c833d89..75897a045 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -5,8 +5,8 @@ Mozilla welcomes contributions from everyone. Here are a few guidelines and inst # Getting started * Make sure you have Go 1.12 or greater installed. You can find information on how to install Go [here](https://golang.org/dl/) -* After following the [Go installation guide](https://golang.org/doc/install), run `go get go.mozilla.org/sops`. This will automatically clone this repository. -* Switch into sops's directory, which will be in `$GOPATH/src/go.mozilla.org/sops`. +* After following the [Go installation guide](https://golang.org/doc/install), run `go get github.com/getsops/sops/v3`. This will automatically clone this repository. +* Switch into sops's directory, which will be in `$GOPATH/src/github.com/getsops/sops/v3`. * Run the tests with `make test`. They should all pass. * Fork the project on GitHub. * Add your fork to git's remotes: diff --git a/Dockerfile b/Dockerfile index d0c58a36f..6db37f1fa 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM golang:1.20 -COPY . /go/src/go.mozilla.org/sops -WORKDIR /go/src/go.mozilla.org/sops +COPY . /go/src/github.com/getsops/sops/v3 +WORKDIR /go/src/github.com/getsops/sops/v3 RUN CGO_ENABLED=1 make install RUN apt-get update diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 530585240..583a83ce0 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -2,8 +2,8 @@ FROM golang:1.20-alpine3.18 AS builder RUN apk --no-cache add make -COPY . /go/src/go.mozilla.org/sops -WORKDIR /go/src/go.mozilla.org/sops +COPY . /go/src/github.com/getsops/sops/v3 +WORKDIR /go/src/github.com/getsops/sops/v3 RUN CGO_ENABLED=1 make install diff --git a/Makefile b/Makefile index e302a7464..e97b17bc7 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. -PROJECT := go.mozilla.org/sops/v3 +PROJECT := github.com/getsops/sops/v3 GO := GOPROXY=https://proxy.golang.org go GOLINT := golint @@ -10,7 +10,7 @@ all: test vet generate install functional-tests origin-build: test vet generate install functional-tests-all install: - $(GO) install go.mozilla.org/sops/v3/cmd/sops + $(GO) install github.com/getsops/sops/v3/cmd/sops tag: all git tag -s $(TAGVER) -a -m "$(TAGMSG)" @@ -39,13 +39,13 @@ generate: keyservice/keyservice.pb.go protoc --go_out=plugins=grpc:. $< functional-tests: - $(GO) build -o functional-tests/sops go.mozilla.org/sops/v3/cmd/sops + $(GO) build -o functional-tests/sops github.com/getsops/sops/v3/cmd/sops cd functional-tests && cargo test # Ignored tests are ones that require external services (e.g. AWS KMS) # TODO: Once `--include-ignored` lands in rust stable, switch to that. functional-tests-all: - $(GO) build -o functional-tests/sops go.mozilla.org/sops/v3/cmd/sops + $(GO) build -o functional-tests/sops github.com/getsops/sops/v3/cmd/sops cd functional-tests && cargo test && cargo test -- --ignored # Creates variables during target re-definition. Basically this block allows the particular variables to be used in the final target @@ -56,11 +56,11 @@ build-deb-%: FPM_ARCH = $(word 3,$(subst -, ,$*)) build-deb-%: rm -rf tmppkg mkdir -p tmppkg/usr/local/bin - GOOS=$(OS) GOARCH="$(ARCH)" CGO_ENABLED=0 go build -mod vendor -o tmppkg/usr/local/bin/sops go.mozilla.org/sops/v3/cmd/sops + GOOS=$(OS) GOARCH="$(ARCH)" CGO_ENABLED=0 go build -mod vendor -o tmppkg/usr/local/bin/sops github.com/getsops/sops/v3/cmd/sops fpm -C tmppkg -n sops --license MPL2.0 --vendor mozilla \ --description "Sops is an editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP." \ -m "AJ Bahnken " \ - --url https://go.mozilla.org/sops \ + --url https://github.com/getsops/sops/v3 \ --architecture $(FPM_ARCH) \ -v "$$(grep '^const Version' version/version.go |cut -d \" -f 2)" \ -s dir -t deb . @@ -76,11 +76,11 @@ build-rpm-%: FPM_ARCH = $(word 3,$(subst -, ,$*)) build-rpm-%: rm -rf tmppkg mkdir -p tmppkg/usr/local/bin - GOOS=$(OS) GOARCH="$(ARCH)" CGO_ENABLED=0 go build -mod vendor -o tmppkg/usr/local/bin/sops go.mozilla.org/sops/v3/cmd/sops + GOOS=$(OS) GOARCH="$(ARCH)" CGO_ENABLED=0 go build -mod vendor -o tmppkg/usr/local/bin/sops github.com/getsops/sops/v3/cmd/sops fpm -C tmppkg -n sops --license MPL2.0 --vendor mozilla \ --description "Sops is an editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP." \ -m "AJ Bahnken " \ - --url https://go.mozilla.org/sops \ + --url https://github.com/getsops/sops/v3 \ --architecture $(FPM_ARCH) \ --rpm-os $(OS) \ -v "$$(grep '^const Version' version/version.go |cut -d \" -f 2)" \ @@ -99,7 +99,7 @@ else fpm -C tmppkg -n sops --license MPL2.0 --vendor mozilla \ --description "Sops is an editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP." \ -m "Mozilla Security " \ - --url https://go.mozilla.org/sops \ + --url https://github.com/getsops/sops/v3 \ --architecture x86_64 \ -v "$$(grep '^const Version' version/version.go |cut -d \" -f 2)" \ -s dir -t osxpkg \ diff --git a/README.rst b/README.rst index c44582aee..e188351c8 100644 --- a/README.rst +++ b/README.rst @@ -9,8 +9,8 @@ formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. ------------ -.. image:: https://pkg.go.dev/badge/go.mozilla.org/sops/v3.svg - :target: https://pkg.go.dev/go.mozilla.org/sops/v3 +.. image:: https://pkg.go.dev/badge/github.com/getsops/sops/v3.svg + :target: https://pkg.go.dev/github.com/getsops/sops/v3 Download -------- @@ -25,9 +25,9 @@ For the adventurous, unstable features are available in the `develop` branch, wh .. code:: bash - $ mkdir -p $GOPATH/src/go.mozilla.org/sops/ - $ git clone https://github.com/mozilla/sops.git $GOPATH/src/go.mozilla.org/sops/ - $ cd $GOPATH/src/go.mozilla.org/sops/ + $ mkdir -p $GOPATH/src/github.com/getsops/sops/v3/ + $ git clone https://github.com/mozilla/sops.git $GOPATH/src/github.com/getsops/sops/v3/ + $ cd $GOPATH/src/github.com/getsops/sops/v3/ $ git checkout develop $ make install @@ -44,7 +44,7 @@ If you don't have Go installed, set it up with: Or whatever variation of the above fits your system and shell. -To use **sops** as a library, take a look at the `decrypt package `_. +To use **sops** as a library, take a look at the `decrypt package `_. .. sectnum:: .. contents:: Table of Contents diff --git a/aes/cipher.go b/aes/cipher.go index 317df6316..d4ad74add 100644 --- a/aes/cipher.go +++ b/aes/cipher.go @@ -1,7 +1,7 @@ /* Package aes defines a Cipher that uses 256-bit AES-GCM authenticated encryption to encrypt values the SOPS tree. */ -package aes //import "go.mozilla.org/sops/v3/aes" +package aes //import "github.com/getsops/sops/v3/aes" import ( cryptoaes "crypto/aes" @@ -14,8 +14,8 @@ import ( "strings" "github.com/sirupsen/logrus" - "go.mozilla.org/sops/v3" - "go.mozilla.org/sops/v3/logging" + "github.com/getsops/sops/v3" + "github.com/getsops/sops/v3/logging" ) var log *logrus.Logger diff --git a/aes/cipher_test.go b/aes/cipher_test.go index 2a3ba1edd..4d53510aa 100644 --- a/aes/cipher_test.go +++ b/aes/cipher_test.go @@ -7,7 +7,7 @@ import ( "testing/quick" "github.com/stretchr/testify/assert" - "go.mozilla.org/sops/v3" + "github.com/getsops/sops/v3" ) func TestDecrypt(t *testing.T) { diff --git a/age/keysource.go b/age/keysource.go index 8e64e0f09..837333e17 100644 --- a/age/keysource.go +++ b/age/keysource.go @@ -12,7 +12,7 @@ import ( "filippo.io/age" "filippo.io/age/armor" "github.com/sirupsen/logrus" - "go.mozilla.org/sops/v3/logging" + "github.com/getsops/sops/v3/logging" ) const ( diff --git a/audit/audit.go b/audit/audit.go index b52215077..035783e4e 100644 --- a/audit/audit.go +++ b/audit/audit.go @@ -14,7 +14,7 @@ import ( "gopkg.in/yaml.v3" "github.com/sirupsen/logrus" - "go.mozilla.org/sops/v3/logging" + "github.com/getsops/sops/v3/logging" ) var log *logrus.Logger diff --git a/azkv/keysource.go b/azkv/keysource.go index 5724aab84..d32b880c3 100644 --- a/azkv/keysource.go +++ b/azkv/keysource.go @@ -1,9 +1,9 @@ /* -Package azkv contains an implementation of the go.mozilla.org/sops/v3/keys.MasterKey +Package azkv contains an implementation of the github.com/getsops/sops/v3/keys.MasterKey interface that encrypts and decrypts the data key using Azure Key Vault with the Azure Key Vault Keys client module for Go. */ -package azkv // import "go.mozilla.org/sops/v3/azkv" +package azkv // import "github.com/getsops/sops/v3/azkv" import ( "context" @@ -19,7 +19,7 @@ import ( "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys" "github.com/sirupsen/logrus" - "go.mozilla.org/sops/v3/logging" + "github.com/getsops/sops/v3/logging" ) var ( diff --git a/cmd/sops/common/common.go b/cmd/sops/common/common.go index cde08076b..b675195bc 100644 --- a/cmd/sops/common/common.go +++ b/cmd/sops/common/common.go @@ -10,17 +10,17 @@ import ( "github.com/fatih/color" wordwrap "github.com/mitchellh/go-wordwrap" "github.com/urfave/cli" - "go.mozilla.org/sops/v3" - "go.mozilla.org/sops/v3/cmd/sops/codes" - . "go.mozilla.org/sops/v3/cmd/sops/formats" - "go.mozilla.org/sops/v3/keys" - "go.mozilla.org/sops/v3/keyservice" - "go.mozilla.org/sops/v3/kms" - "go.mozilla.org/sops/v3/stores/dotenv" - "go.mozilla.org/sops/v3/stores/ini" - "go.mozilla.org/sops/v3/stores/json" - "go.mozilla.org/sops/v3/stores/yaml" - "go.mozilla.org/sops/v3/version" + "github.com/getsops/sops/v3" + "github.com/getsops/sops/v3/cmd/sops/codes" + . "github.com/getsops/sops/v3/cmd/sops/formats" + "github.com/getsops/sops/v3/keys" + "github.com/getsops/sops/v3/keyservice" + "github.com/getsops/sops/v3/kms" + "github.com/getsops/sops/v3/stores/dotenv" + "github.com/getsops/sops/v3/stores/ini" + "github.com/getsops/sops/v3/stores/json" + "github.com/getsops/sops/v3/stores/yaml" + "github.com/getsops/sops/v3/version" "golang.org/x/crypto/ssh/terminal" ) diff --git a/cmd/sops/decrypt.go b/cmd/sops/decrypt.go index f348b16a7..680af4cad 100644 --- a/cmd/sops/decrypt.go +++ b/cmd/sops/decrypt.go @@ -3,10 +3,10 @@ package main import ( "fmt" - "go.mozilla.org/sops/v3" - "go.mozilla.org/sops/v3/cmd/sops/codes" - "go.mozilla.org/sops/v3/cmd/sops/common" - "go.mozilla.org/sops/v3/keyservice" + "github.com/getsops/sops/v3" + "github.com/getsops/sops/v3/cmd/sops/codes" + "github.com/getsops/sops/v3/cmd/sops/common" + "github.com/getsops/sops/v3/keyservice" ) type decryptOpts struct { diff --git a/cmd/sops/edit.go b/cmd/sops/edit.go index d1d5e6a75..e72d8fb23 100644 --- a/cmd/sops/edit.go +++ b/cmd/sops/edit.go @@ -16,11 +16,11 @@ import ( "path/filepath" "github.com/google/shlex" - "go.mozilla.org/sops/v3" - "go.mozilla.org/sops/v3/cmd/sops/codes" - "go.mozilla.org/sops/v3/cmd/sops/common" - "go.mozilla.org/sops/v3/keyservice" - "go.mozilla.org/sops/v3/version" + "github.com/getsops/sops/v3" + "github.com/getsops/sops/v3/cmd/sops/codes" + "github.com/getsops/sops/v3/cmd/sops/common" + "github.com/getsops/sops/v3/keyservice" + "github.com/getsops/sops/v3/version" ) type editOpts struct { diff --git a/cmd/sops/encrypt.go b/cmd/sops/encrypt.go index 1aa09eeba..195833ae6 100644 --- a/cmd/sops/encrypt.go +++ b/cmd/sops/encrypt.go @@ -7,11 +7,11 @@ import ( "fmt" wordwrap "github.com/mitchellh/go-wordwrap" - "go.mozilla.org/sops/v3" - "go.mozilla.org/sops/v3/cmd/sops/codes" - "go.mozilla.org/sops/v3/cmd/sops/common" - "go.mozilla.org/sops/v3/keyservice" - "go.mozilla.org/sops/v3/version" + "github.com/getsops/sops/v3" + "github.com/getsops/sops/v3/cmd/sops/codes" + "github.com/getsops/sops/v3/cmd/sops/common" + "github.com/getsops/sops/v3/keyservice" + "github.com/getsops/sops/v3/version" ) type encryptOpts struct { diff --git a/cmd/sops/main.go b/cmd/sops/main.go index ca75d6281..9f7c5834b 100644 --- a/cmd/sops/main.go +++ b/cmd/sops/main.go @@ -1,4 +1,4 @@ -package main //import "go.mozilla.org/sops/v3/cmd/sops" +package main //import "github.com/getsops/sops/v3/cmd/sops" import ( encodingjson "encoding/json" @@ -15,29 +15,29 @@ import ( "github.com/sirupsen/logrus" "github.com/urfave/cli" - "go.mozilla.org/sops/v3" - "go.mozilla.org/sops/v3/aes" - "go.mozilla.org/sops/v3/age" - _ "go.mozilla.org/sops/v3/audit" - "go.mozilla.org/sops/v3/azkv" - "go.mozilla.org/sops/v3/cmd/sops/codes" - "go.mozilla.org/sops/v3/cmd/sops/common" - "go.mozilla.org/sops/v3/cmd/sops/subcommand/exec" - "go.mozilla.org/sops/v3/cmd/sops/subcommand/groups" - keyservicecmd "go.mozilla.org/sops/v3/cmd/sops/subcommand/keyservice" - publishcmd "go.mozilla.org/sops/v3/cmd/sops/subcommand/publish" - "go.mozilla.org/sops/v3/cmd/sops/subcommand/updatekeys" - "go.mozilla.org/sops/v3/config" - "go.mozilla.org/sops/v3/gcpkms" - "go.mozilla.org/sops/v3/hcvault" - "go.mozilla.org/sops/v3/keys" - "go.mozilla.org/sops/v3/keyservice" - "go.mozilla.org/sops/v3/kms" - "go.mozilla.org/sops/v3/logging" - "go.mozilla.org/sops/v3/pgp" - "go.mozilla.org/sops/v3/stores/dotenv" - "go.mozilla.org/sops/v3/stores/json" - "go.mozilla.org/sops/v3/version" + "github.com/getsops/sops/v3" + "github.com/getsops/sops/v3/aes" + "github.com/getsops/sops/v3/age" + _ "github.com/getsops/sops/v3/audit" + "github.com/getsops/sops/v3/azkv" + "github.com/getsops/sops/v3/cmd/sops/codes" + "github.com/getsops/sops/v3/cmd/sops/common" + "github.com/getsops/sops/v3/cmd/sops/subcommand/exec" + "github.com/getsops/sops/v3/cmd/sops/subcommand/groups" + keyservicecmd "github.com/getsops/sops/v3/cmd/sops/subcommand/keyservice" + publishcmd "github.com/getsops/sops/v3/cmd/sops/subcommand/publish" + "github.com/getsops/sops/v3/cmd/sops/subcommand/updatekeys" + "github.com/getsops/sops/v3/config" + "github.com/getsops/sops/v3/gcpkms" + "github.com/getsops/sops/v3/hcvault" + "github.com/getsops/sops/v3/keys" + "github.com/getsops/sops/v3/keyservice" + "github.com/getsops/sops/v3/kms" + "github.com/getsops/sops/v3/logging" + "github.com/getsops/sops/v3/pgp" + "github.com/getsops/sops/v3/stores/dotenv" + "github.com/getsops/sops/v3/stores/json" + "github.com/getsops/sops/v3/version" "google.golang.org/grpc" ) diff --git a/cmd/sops/rotate.go b/cmd/sops/rotate.go index 097fcd2a1..1818adae4 100644 --- a/cmd/sops/rotate.go +++ b/cmd/sops/rotate.go @@ -3,12 +3,12 @@ package main import ( "fmt" - "go.mozilla.org/sops/v3" - "go.mozilla.org/sops/v3/audit" - "go.mozilla.org/sops/v3/cmd/sops/codes" - "go.mozilla.org/sops/v3/cmd/sops/common" - "go.mozilla.org/sops/v3/keys" - "go.mozilla.org/sops/v3/keyservice" + "github.com/getsops/sops/v3" + "github.com/getsops/sops/v3/audit" + "github.com/getsops/sops/v3/cmd/sops/codes" + "github.com/getsops/sops/v3/cmd/sops/common" + "github.com/getsops/sops/v3/keys" + "github.com/getsops/sops/v3/keyservice" ) type rotateOpts struct { diff --git a/cmd/sops/set.go b/cmd/sops/set.go index bc94e4059..976a066ac 100644 --- a/cmd/sops/set.go +++ b/cmd/sops/set.go @@ -3,10 +3,10 @@ package main import ( "fmt" - "go.mozilla.org/sops/v3" - "go.mozilla.org/sops/v3/cmd/sops/codes" - "go.mozilla.org/sops/v3/cmd/sops/common" - "go.mozilla.org/sops/v3/keyservice" + "github.com/getsops/sops/v3" + "github.com/getsops/sops/v3/cmd/sops/codes" + "github.com/getsops/sops/v3/cmd/sops/common" + "github.com/getsops/sops/v3/keyservice" ) type setOpts struct { diff --git a/cmd/sops/subcommand/exec/exec.go b/cmd/sops/subcommand/exec/exec.go index cd8d33be5..720b2431d 100644 --- a/cmd/sops/subcommand/exec/exec.go +++ b/cmd/sops/subcommand/exec/exec.go @@ -7,7 +7,7 @@ import ( "runtime" "strings" - "go.mozilla.org/sops/v3/logging" + "github.com/getsops/sops/v3/logging" "github.com/sirupsen/logrus" ) diff --git a/cmd/sops/subcommand/groups/add.go b/cmd/sops/subcommand/groups/add.go index 33e3e0461..acd6b4619 100644 --- a/cmd/sops/subcommand/groups/add.go +++ b/cmd/sops/subcommand/groups/add.go @@ -3,9 +3,9 @@ package groups import ( "os" - "go.mozilla.org/sops/v3" - "go.mozilla.org/sops/v3/cmd/sops/common" - "go.mozilla.org/sops/v3/keyservice" + "github.com/getsops/sops/v3" + "github.com/getsops/sops/v3/cmd/sops/common" + "github.com/getsops/sops/v3/keyservice" ) // AddOpts are the options for adding a key group to a SOPS file diff --git a/cmd/sops/subcommand/groups/delete.go b/cmd/sops/subcommand/groups/delete.go index 5e70cdde7..9a101709c 100644 --- a/cmd/sops/subcommand/groups/delete.go +++ b/cmd/sops/subcommand/groups/delete.go @@ -5,9 +5,9 @@ import ( "fmt" - "go.mozilla.org/sops/v3" - "go.mozilla.org/sops/v3/cmd/sops/common" - "go.mozilla.org/sops/v3/keyservice" + "github.com/getsops/sops/v3" + "github.com/getsops/sops/v3/cmd/sops/common" + "github.com/getsops/sops/v3/keyservice" ) // DeleteOpts are the options for deleting a key group from a SOPS file diff --git a/cmd/sops/subcommand/keyservice/keyservice.go b/cmd/sops/subcommand/keyservice/keyservice.go index 6a92efaf1..c28f63690 100644 --- a/cmd/sops/subcommand/keyservice/keyservice.go +++ b/cmd/sops/subcommand/keyservice/keyservice.go @@ -6,8 +6,8 @@ import ( "os/signal" "syscall" - "go.mozilla.org/sops/v3/keyservice" - "go.mozilla.org/sops/v3/logging" + "github.com/getsops/sops/v3/keyservice" + "github.com/getsops/sops/v3/logging" "github.com/sirupsen/logrus" "google.golang.org/grpc" diff --git a/cmd/sops/subcommand/publish/publish.go b/cmd/sops/subcommand/publish/publish.go index 4f3804ca0..ee0dd27ae 100644 --- a/cmd/sops/subcommand/publish/publish.go +++ b/cmd/sops/subcommand/publish/publish.go @@ -7,14 +7,14 @@ import ( "path/filepath" "strings" - "go.mozilla.org/sops/v3" - "go.mozilla.org/sops/v3/cmd/sops/codes" - "go.mozilla.org/sops/v3/cmd/sops/common" - "go.mozilla.org/sops/v3/config" - "go.mozilla.org/sops/v3/keyservice" - "go.mozilla.org/sops/v3/logging" - "go.mozilla.org/sops/v3/publish" - "go.mozilla.org/sops/v3/version" + "github.com/getsops/sops/v3" + "github.com/getsops/sops/v3/cmd/sops/codes" + "github.com/getsops/sops/v3/cmd/sops/common" + "github.com/getsops/sops/v3/config" + "github.com/getsops/sops/v3/keyservice" + "github.com/getsops/sops/v3/logging" + "github.com/getsops/sops/v3/publish" + "github.com/getsops/sops/v3/version" "github.com/sirupsen/logrus" ) diff --git a/cmd/sops/subcommand/updatekeys/updatekeys.go b/cmd/sops/subcommand/updatekeys/updatekeys.go index 2b00989c0..6bb105864 100644 --- a/cmd/sops/subcommand/updatekeys/updatekeys.go +++ b/cmd/sops/subcommand/updatekeys/updatekeys.go @@ -6,10 +6,10 @@ import ( "os" "path/filepath" - "go.mozilla.org/sops/v3/cmd/sops/codes" - "go.mozilla.org/sops/v3/cmd/sops/common" - "go.mozilla.org/sops/v3/config" - "go.mozilla.org/sops/v3/keyservice" + "github.com/getsops/sops/v3/cmd/sops/codes" + "github.com/getsops/sops/v3/cmd/sops/common" + "github.com/getsops/sops/v3/config" + "github.com/getsops/sops/v3/keyservice" ) // Opts represents key operation options and config diff --git a/config/config.go b/config/config.go index a4db7b868..a96593068 100644 --- a/config/config.go +++ b/config/config.go @@ -1,7 +1,7 @@ /* Package config provides a way to find and load SOPS configuration files */ -package config //import "go.mozilla.org/sops/v3/config" +package config //import "github.com/getsops/sops/v3/config" import ( "fmt" @@ -13,15 +13,15 @@ import ( "strings" "github.com/sirupsen/logrus" - "go.mozilla.org/sops/v3" - "go.mozilla.org/sops/v3/age" - "go.mozilla.org/sops/v3/azkv" - "go.mozilla.org/sops/v3/gcpkms" - "go.mozilla.org/sops/v3/hcvault" - "go.mozilla.org/sops/v3/kms" - "go.mozilla.org/sops/v3/logging" - "go.mozilla.org/sops/v3/pgp" - "go.mozilla.org/sops/v3/publish" + "github.com/getsops/sops/v3" + "github.com/getsops/sops/v3/age" + "github.com/getsops/sops/v3/azkv" + "github.com/getsops/sops/v3/gcpkms" + "github.com/getsops/sops/v3/hcvault" + "github.com/getsops/sops/v3/kms" + "github.com/getsops/sops/v3/logging" + "github.com/getsops/sops/v3/pgp" + "github.com/getsops/sops/v3/publish" "gopkg.in/yaml.v3" ) diff --git a/decrypt/decrypt.go b/decrypt/decrypt.go index 6fd4a4fbe..506132894 100644 --- a/decrypt/decrypt.go +++ b/decrypt/decrypt.go @@ -2,16 +2,16 @@ Package decrypt is the external API other Go programs can use to decrypt SOPS files. It is the only package in SOPS with a stable API. */ -package decrypt // import "go.mozilla.org/sops/v3/decrypt" +package decrypt // import "github.com/getsops/sops/v3/decrypt" import ( "fmt" "io/ioutil" "time" - "go.mozilla.org/sops/v3/aes" - "go.mozilla.org/sops/v3/cmd/sops/common" - . "go.mozilla.org/sops/v3/cmd/sops/formats" // Re-export + "github.com/getsops/sops/v3/aes" + "github.com/getsops/sops/v3/cmd/sops/common" + . "github.com/getsops/sops/v3/cmd/sops/formats" // Re-export ) // File is a wrapper around Data that reads a local encrypted diff --git a/decrypt/example_test.go b/decrypt/example_test.go index 19af98be7..0ccdc87aa 100644 --- a/decrypt/example_test.go +++ b/decrypt/example_test.go @@ -3,7 +3,7 @@ package decrypt import ( "encoding/json" - "go.mozilla.org/sops/v3/logging" + "github.com/getsops/sops/v3/logging" "github.com/sirupsen/logrus" ) diff --git a/gcpkms/keysource.go b/gcpkms/keysource.go index f165fe2ea..da8a8fa59 100644 --- a/gcpkms/keysource.go +++ b/gcpkms/keysource.go @@ -1,4 +1,4 @@ -package gcpkms // import "go.mozilla.org/sops/v3/gcpkms" +package gcpkms // import "github.com/getsops/sops/v3/gcpkms" import ( "context" @@ -15,7 +15,7 @@ import ( kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1" "google.golang.org/grpc" - "go.mozilla.org/sops/v3/logging" + "github.com/getsops/sops/v3/logging" ) const ( diff --git a/go.mod b/go.mod index 78b060e0f..a8c8bd573 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module go.mozilla.org/sops/v3 +module github.com/getsops/sops/v3 go 1.19 diff --git a/hcvault/keysource.go b/hcvault/keysource.go index f071030ad..d2aba26f1 100644 --- a/hcvault/keysource.go +++ b/hcvault/keysource.go @@ -18,7 +18,7 @@ import ( "github.com/mitchellh/go-homedir" "github.com/sirupsen/logrus" - "go.mozilla.org/sops/v3/logging" + "github.com/getsops/sops/v3/logging" ) func init() { diff --git a/keyservice/keyservice.go b/keyservice/keyservice.go index 103e3e6dc..321af7942 100644 --- a/keyservice/keyservice.go +++ b/keyservice/keyservice.go @@ -7,13 +7,13 @@ package keyservice import ( "fmt" - "go.mozilla.org/sops/v3/age" - "go.mozilla.org/sops/v3/azkv" - "go.mozilla.org/sops/v3/gcpkms" - "go.mozilla.org/sops/v3/hcvault" - "go.mozilla.org/sops/v3/keys" - "go.mozilla.org/sops/v3/kms" - "go.mozilla.org/sops/v3/pgp" + "github.com/getsops/sops/v3/age" + "github.com/getsops/sops/v3/azkv" + "github.com/getsops/sops/v3/gcpkms" + "github.com/getsops/sops/v3/hcvault" + "github.com/getsops/sops/v3/keys" + "github.com/getsops/sops/v3/kms" + "github.com/getsops/sops/v3/pgp" ) // KeyFromMasterKey converts a SOPS internal MasterKey to an RPC Key that can be serialized with Protocol Buffers diff --git a/keyservice/server.go b/keyservice/server.go index 08249ff24..82c1a4855 100644 --- a/keyservice/server.go +++ b/keyservice/server.go @@ -3,12 +3,12 @@ package keyservice import ( "fmt" - "go.mozilla.org/sops/v3/age" - "go.mozilla.org/sops/v3/azkv" - "go.mozilla.org/sops/v3/gcpkms" - "go.mozilla.org/sops/v3/hcvault" - "go.mozilla.org/sops/v3/kms" - "go.mozilla.org/sops/v3/pgp" + "github.com/getsops/sops/v3/age" + "github.com/getsops/sops/v3/azkv" + "github.com/getsops/sops/v3/gcpkms" + "github.com/getsops/sops/v3/hcvault" + "github.com/getsops/sops/v3/kms" + "github.com/getsops/sops/v3/pgp" "golang.org/x/net/context" "google.golang.org/grpc" "google.golang.org/grpc/codes" diff --git a/kms/keysource.go b/kms/keysource.go index d1e407f82..833f5ccd9 100644 --- a/kms/keysource.go +++ b/kms/keysource.go @@ -1,9 +1,9 @@ /* -Package kms contains an implementation of the go.mozilla.org/sops/v3.MasterKey +Package kms contains an implementation of the github.com/getsops/sops/v3.MasterKey interface that encrypts and decrypts the data key using AWS KMS with the SDK for Go V2. */ -package kms //import "go.mozilla.org/sops/v3/kms" +package kms //import "github.com/getsops/sops/v3/kms" import ( "context" @@ -20,7 +20,7 @@ import ( "github.com/aws/aws-sdk-go-v2/service/kms" "github.com/aws/aws-sdk-go-v2/service/sts" "github.com/sirupsen/logrus" - "go.mozilla.org/sops/v3/logging" + "github.com/getsops/sops/v3/logging" ) const ( diff --git a/make_download_page.sh b/make_download_page.sh index a3b7d23f3..e773cb573 100644 --- a/make_download_page.sh +++ b/make_download_page.sh @@ -1,11 +1,11 @@ #!/usr/bin/env bash [ ! -d dist ] && mkdir dist -echo -e "\nSops download page>\n\n

Sops download page

\n

go.mozilla.org/sops

\n" > index.html +echo -e "\nSops download page>\n\n

Sops download page

\n

github.com/getsops/sops/v3

\n
" > index.html IFS=$'\n' for dist in $(aws s3 ls s3://go.mozilla.org/sops/dist/ | grep -P "deb|rpm"); do ts=$(echo $dist|awk '{print $1,$2}') size=$(echo $dist|awk '{print $3}') pkg=$(echo $dist|awk '{print $4}') - echo -e "" >> index.html + echo -e "" >> index.html done echo -e "
$ts$size$pkg
$ts$size$pkg
\n\n" >> index.html diff --git a/pgp/keysource.go b/pgp/keysource.go index 2adf0c6f8..10f582da8 100644 --- a/pgp/keysource.go +++ b/pgp/keysource.go @@ -1,10 +1,10 @@ /* -Package pgp contains an implementation of the go.mozilla.org/sops/v3.MasterKey +Package pgp contains an implementation of the github.com/getsops/sops/v3.MasterKey interface that encrypts and decrypts the data key by first trying with the github.com/ProtonMail/go-crypto/openpgp package and if that fails, by calling the "gpg" binary. */ -package pgp //import "go.mozilla.org/sops/v3/pgp" +package pgp //import "github.com/getsops/sops/v3/pgp" import ( "bytes" @@ -22,7 +22,7 @@ import ( "github.com/ProtonMail/go-crypto/openpgp/armor" "github.com/sirupsen/logrus" gpgagent "go.mozilla.org/gopgagent" - "go.mozilla.org/sops/v3/logging" + "github.com/getsops/sops/v3/logging" "golang.org/x/term" ) diff --git a/publish/vault.go b/publish/vault.go index bfc5b3ba0..6f857cd01 100644 --- a/publish/vault.go +++ b/publish/vault.go @@ -6,7 +6,7 @@ import ( "github.com/google/go-cmp/cmp" vault "github.com/hashicorp/vault/api" - "go.mozilla.org/sops/v3/logging" + "github.com/getsops/sops/v3/logging" "github.com/sirupsen/logrus" ) diff --git a/sops.go b/sops.go index 09d0eee07..28aed98a4 100644 --- a/sops.go +++ b/sops.go @@ -2,10 +2,10 @@ Package sops manages JSON, YAML and BINARY documents to be encrypted or decrypted. This package should not be used directly. Instead, Sops users should install the -command line client via `go get -u go.mozilla.org/sops/v3/cmd/sops`, or use the -decryption helper provided at `go.mozilla.org/sops/v3/decrypt`. +command line client via `go get -u github.com/getsops/sops/v3/cmd/sops`, or use the +decryption helper provided at `github.com/getsops/sops/v3/decrypt`. -We do not guarantee API stability for any package other than `go.mozilla.org/sops/v3/decrypt`. +We do not guarantee API stability for any package other than `github.com/getsops/sops/v3/decrypt`. A Sops document is a Tree composed of a data branch with arbitrary key/value pairs and a metadata branch with encryption and integrity information. @@ -34,7 +34,7 @@ be recalculated and compared with the MAC stored in the document to verify that fraudulent changes have been applied. The MAC covers keys and values as well as their ordering. */ -package sops //import "go.mozilla.org/sops/v3" +package sops //import "github.com/getsops/sops/v3" import ( "crypto/rand" @@ -47,11 +47,11 @@ import ( "time" "github.com/sirupsen/logrus" - "go.mozilla.org/sops/v3/audit" - "go.mozilla.org/sops/v3/keys" - "go.mozilla.org/sops/v3/keyservice" - "go.mozilla.org/sops/v3/logging" - "go.mozilla.org/sops/v3/shamir" + "github.com/getsops/sops/v3/audit" + "github.com/getsops/sops/v3/keys" + "github.com/getsops/sops/v3/keyservice" + "github.com/getsops/sops/v3/logging" + "github.com/getsops/sops/v3/shamir" "golang.org/x/net/context" ) diff --git a/stores/dotenv/store.go b/stores/dotenv/store.go index 8add8a097..dedf8817c 100644 --- a/stores/dotenv/store.go +++ b/stores/dotenv/store.go @@ -1,4 +1,4 @@ -package dotenv //import "go.mozilla.org/sops/v3/stores/dotenv" +package dotenv //import "github.com/getsops/sops/v3/stores/dotenv" import ( "bytes" @@ -6,8 +6,8 @@ import ( "fmt" "strings" - "go.mozilla.org/sops/v3" - "go.mozilla.org/sops/v3/stores" + "github.com/getsops/sops/v3" + "github.com/getsops/sops/v3/stores" ) // SopsPrefix is the prefix for all metadatada entry keys diff --git a/stores/dotenv/store_test.go b/stores/dotenv/store_test.go index f4bd2cc85..163ddb022 100644 --- a/stores/dotenv/store_test.go +++ b/stores/dotenv/store_test.go @@ -5,7 +5,7 @@ import ( "testing" "github.com/stretchr/testify/assert" - "go.mozilla.org/sops/v3" + "github.com/getsops/sops/v3" ) var PLAIN = []byte(strings.TrimLeft(` diff --git a/stores/ini/store.go b/stores/ini/store.go index df5405294..6485467f1 100644 --- a/stores/ini/store.go +++ b/stores/ini/store.go @@ -1,4 +1,4 @@ -package ini //import "go.mozilla.org/sops/v3/stores/ini" +package ini //import "github.com/getsops/sops/v3/stores/ini" import ( "bytes" @@ -8,8 +8,8 @@ import ( "strconv" "strings" - "go.mozilla.org/sops/v3" - "go.mozilla.org/sops/v3/stores" + "github.com/getsops/sops/v3" + "github.com/getsops/sops/v3/stores" "gopkg.in/ini.v1" ) diff --git a/stores/ini/store_test.go b/stores/ini/store_test.go index 9be162957..3e833b54c 100644 --- a/stores/ini/store_test.go +++ b/stores/ini/store_test.go @@ -4,7 +4,7 @@ import ( "testing" "github.com/stretchr/testify/assert" - "go.mozilla.org/sops/v3" + "github.com/getsops/sops/v3" ) func TestDecodeIni(t *testing.T) { diff --git a/stores/json/store.go b/stores/json/store.go index 574b15206..1b18300f7 100644 --- a/stores/json/store.go +++ b/stores/json/store.go @@ -1,4 +1,4 @@ -package json //import "go.mozilla.org/sops/v3/stores/json" +package json //import "github.com/getsops/sops/v3/stores/json" import ( "bytes" @@ -6,8 +6,8 @@ import ( "fmt" "io" - "go.mozilla.org/sops/v3" - "go.mozilla.org/sops/v3/stores" + "github.com/getsops/sops/v3" + "github.com/getsops/sops/v3/stores" ) // Store handles storage of JSON data. diff --git a/stores/json/store_test.go b/stores/json/store_test.go index 81066f174..d9dd82733 100644 --- a/stores/json/store_test.go +++ b/stores/json/store_test.go @@ -4,7 +4,7 @@ import ( "testing" "github.com/stretchr/testify/assert" - "go.mozilla.org/sops/v3" + "github.com/getsops/sops/v3" ) func TestDecodeJSON(t *testing.T) { diff --git a/stores/stores.go b/stores/stores.go index da8781ab2..420c115c7 100644 --- a/stores/stores.go +++ b/stores/stores.go @@ -14,13 +14,13 @@ import ( "fmt" - "go.mozilla.org/sops/v3" - "go.mozilla.org/sops/v3/age" - "go.mozilla.org/sops/v3/azkv" - "go.mozilla.org/sops/v3/gcpkms" - "go.mozilla.org/sops/v3/hcvault" - "go.mozilla.org/sops/v3/kms" - "go.mozilla.org/sops/v3/pgp" + "github.com/getsops/sops/v3" + "github.com/getsops/sops/v3/age" + "github.com/getsops/sops/v3/azkv" + "github.com/getsops/sops/v3/gcpkms" + "github.com/getsops/sops/v3/hcvault" + "github.com/getsops/sops/v3/kms" + "github.com/getsops/sops/v3/pgp" ) // SopsFile is a struct used by the stores as a helper to unmarshal the SOPS metadata diff --git a/stores/yaml/store.go b/stores/yaml/store.go index 0a95d7c6a..4782428b6 100644 --- a/stores/yaml/store.go +++ b/stores/yaml/store.go @@ -1,4 +1,4 @@ -package yaml //import "go.mozilla.org/sops/v3/stores/yaml" +package yaml //import "github.com/getsops/sops/v3/stores/yaml" import ( "bytes" @@ -7,8 +7,8 @@ import ( "strings" "gopkg.in/yaml.v3" - "go.mozilla.org/sops/v3" - "go.mozilla.org/sops/v3/stores" + "github.com/getsops/sops/v3" + "github.com/getsops/sops/v3/stores" ) // Store handles storage of YAML data diff --git a/stores/yaml/store_test.go b/stores/yaml/store_test.go index 245a43104..bf0e1bfaa 100644 --- a/stores/yaml/store_test.go +++ b/stores/yaml/store_test.go @@ -4,7 +4,7 @@ import ( "testing" "github.com/stretchr/testify/assert" - "go.mozilla.org/sops/v3" + "github.com/getsops/sops/v3" ) var PLAIN = []byte(`--- diff --git a/version/version.go b/version/version.go index 3b00d12d9..db73522a9 100644 --- a/version/version.go +++ b/version/version.go @@ -28,7 +28,7 @@ func PrintVersion(c *cli.Context) { out += fmt.Sprintf("\n[warning] failed to compare current version with latest: %v\n", err) } if outdated { - out += fmt.Sprintf("\n[info] sops %s is available, update with `go get -u go.mozilla.org/sops/v3/cmd/sops`\n", upstreamVersion) + out += fmt.Sprintf("\n[info] sops %s is available, update with `go get -u github.com/getsops/sops/v3/cmd/sops`\n", upstreamVersion) } else { out += " (latest)\n" } From 1d8e16416a32f16bb8ddcda094a23839185de320 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 11 Jul 2023 21:14:43 +0200 Subject: [PATCH 006/135] Remove "download page" generator This was historically used to generate https://go.mozilla.org/sops/, which is not under our control. Signed-off-by: Hidde Beydals --- Makefile | 3 --- make_download_page.sh | 11 ----------- 2 files changed, 14 deletions(-) delete mode 100644 make_download_page.sh diff --git a/Makefile b/Makefile index e97b17bc7..32f06f737 100644 --- a/Makefile +++ b/Makefile @@ -109,7 +109,4 @@ else -o tmppkg/sops-$$(git describe --abbrev=0 --tags).dmg tmpdmg endif -download-index: - bash make_download_page.sh - .PHONY: all test generate clean vendor functional-tests diff --git a/make_download_page.sh b/make_download_page.sh deleted file mode 100644 index e773cb573..000000000 --- a/make_download_page.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/env bash -[ ! -d dist ] && mkdir dist -echo -e "\nSops download page>\n\n

Sops download page

\n

github.com/getsops/sops/v3

\n" > index.html -IFS=$'\n' -for dist in $(aws s3 ls s3://go.mozilla.org/sops/dist/ | grep -P "deb|rpm"); do - ts=$(echo $dist|awk '{print $1,$2}') - size=$(echo $dist|awk '{print $3}') - pkg=$(echo $dist|awk '{print $4}') - echo -e "" >> index.html -done -echo -e "
$ts$size$pkg
\n\n" >> index.html From bbb21399d8c9a1fcfd6bfca66c374cfe6ef06566 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Sat, 12 Aug 2023 01:46:27 +0200 Subject: [PATCH 007/135] kms: update dependencies - github.com/aws/aws-sdk-go-v2 to v1.20.1 - github.com/aws/aws-sdk-go-v2/config to v1.18.33 - github.com/aws/aws-sdk-go-v2/credentials to v1.13.32 - github.com/aws/aws-sdk-go-v2/feature/s3/manager to v1.11.77 - github.com/aws/aws-sdk-go-v2/service/kms to v1.24.2 - github.com/aws/aws-sdk-go-v2/service/s3 to v1.38.2 - github.com/aws/aws-sdk-go-v2/service/sts to v1.21.2 Signed-off-by: Hidde Beydals --- go.mod | 40 ++++++++++++------------ go.sum | 80 ++++++++++++++++++++++++------------------------ kms/keysource.go | 2 +- 3 files changed, 61 insertions(+), 61 deletions(-) diff --git a/go.mod b/go.mod index a8c8bd573..2dde2acaf 100644 --- a/go.mod +++ b/go.mod @@ -10,13 +10,13 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec - github.com/aws/aws-sdk-go-v2 v1.18.1 - github.com/aws/aws-sdk-go-v2/config v1.18.27 - github.com/aws/aws-sdk-go-v2/credentials v1.13.26 - github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.71 - github.com/aws/aws-sdk-go-v2/service/kms v1.22.2 - github.com/aws/aws-sdk-go-v2/service/s3 v1.36.0 - github.com/aws/aws-sdk-go-v2/service/sts v1.19.2 + github.com/aws/aws-sdk-go-v2 v1.20.1 + github.com/aws/aws-sdk-go-v2/config v1.18.33 + github.com/aws/aws-sdk-go-v2/credentials v1.13.32 + github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.77 + github.com/aws/aws-sdk-go-v2/service/kms v1.24.2 + github.com/aws/aws-sdk-go-v2/service/s3 v1.38.2 + github.com/aws/aws-sdk-go-v2/service/sts v1.21.2 github.com/blang/semver v3.5.1+incompatible github.com/fatih/color v1.15.0 github.com/golang/protobuf v1.5.3 @@ -57,19 +57,19 @@ require ( github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect github.com/Microsoft/go-winio v0.6.0 // indirect github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect - github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.10 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.4 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.34 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.28 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.3.35 // indirect - github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.26 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.11 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.29 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.28 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.14.3 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.12.12 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.12 // indirect - github.com/aws/smithy-go v1.13.5 // indirect + github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.12 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.8 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.38 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.32 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.3.39 // indirect + github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.1 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.13 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.33 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.32 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.1 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.13.2 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.2 // indirect + github.com/aws/smithy-go v1.14.1 // indirect github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/cenkalti/backoff/v4 v4.1.3 // indirect github.com/cloudflare/circl v1.3.3 // indirect diff --git a/go.sum b/go.sum index 396de42aa..93be05035 100644 --- a/go.sum +++ b/go.sum @@ -38,46 +38,46 @@ github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec h1:vV3RryLxt4 github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= -github.com/aws/aws-sdk-go-v2 v1.18.1 h1:+tefE750oAb7ZQGzla6bLkOwfcQCEtC5y2RqoqCeqKo= -github.com/aws/aws-sdk-go-v2 v1.18.1/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.10 h1:dK82zF6kkPeCo8J1e+tGx4JdvDIQzj7ygIoLg8WMuGs= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.10/go.mod h1:VeTZetY5KRJLuD/7fkQXMU6Mw7H5m/KP2J5Iy9osMno= -github.com/aws/aws-sdk-go-v2/config v1.18.27 h1:Az9uLwmssTE6OGTpsFqOnaGpLnKDqNYOJzWuC6UAYzA= -github.com/aws/aws-sdk-go-v2/config v1.18.27/go.mod h1:0My+YgmkGxeqjXZb5BYme5pc4drjTnM+x1GJ3zv42Nw= -github.com/aws/aws-sdk-go-v2/credentials v1.13.26 h1:qmU+yhKmOCyujmuPY7tf5MxR/RKyZrOPO3V4DobiTUk= -github.com/aws/aws-sdk-go-v2/credentials v1.13.26/go.mod h1:GoXt2YC8jHUBbA4jr+W3JiemnIbkXOfxSXcisUsZ3os= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.4 h1:LxK/bitrAr4lnh9LnIS6i7zWbCOdMsfzKFBI6LUCS0I= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.4/go.mod h1:E1hLXN/BL2e6YizK1zFlYd8vsfi2GTjbjBazinMmeaM= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.71 h1:SAB1UAVaf6nGCu3zyIrV+VWsendXrms1GqtW4zBotKA= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.71/go.mod h1:ZNo5H4PR3/fwsXYqb+Ld5YAfvHcYCbltaTTtSay4l2o= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.34 h1:A5UqQEmPaCFpedKouS4v+dHCTUo2sKqhoKO9U5kxyWo= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.34/go.mod h1:wZpTEecJe0Btj3IYnDx/VlUzor9wm3fJHyvLpQF0VwY= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.28 h1:srIVS45eQuewqz6fKKu6ZGXaq6FuFg5NzgQBAM6g8Y4= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.28/go.mod h1:7VRpKQQedkfIEXb4k52I7swUnZP0wohVajJMRn3vsUw= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.35 h1:LWA+3kDM8ly001vJ1X1waCuLJdtTl48gwkPKWy9sosI= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.35/go.mod h1:0Eg1YjxE0Bhn56lx+SHJwCzhW+2JGtizsrx+lCqrfm0= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.26 h1:wscW+pnn3J1OYnanMnza5ZVYXLX4cKk5rAvUAl4Qu+c= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.26/go.mod h1:MtYiox5gvyB+OyP0Mr0Sm/yzbEAIPL9eijj/ouHAPw0= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.11 h1:y2+VQzC6Zh2ojtV2LoC0MNwHWc6qXv/j2vrQtlftkdA= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.11/go.mod h1:iV4q2hsqtNECrfmlXyord9u4zyuFEJX9eLgLpSPzWA8= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.29 h1:zZSLP3v3riMOP14H7b4XP0uyfREDQOYv2cqIrvTXDNQ= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.29/go.mod h1:z7EjRjVwZ6pWcWdI2H64dKttvzaP99jRIj5hphW0M5U= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.28 h1:bkRyG4a929RCnpVSTvLM2j/T4ls015ZhhYApbmYs15s= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.28/go.mod h1:jj7znCIg05jXlaGBlFMGP8+7UN3VtCkRBG2spnmRQkU= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.14.3 h1:dBL3StFxHtpBzJJ/mNEsjXVgfO+7jR0dAIEwLqMapEA= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.14.3/go.mod h1:f1QyiAsvIv4B49DmCqrhlXqyaR+0IxMmyX+1P+AnzOM= -github.com/aws/aws-sdk-go-v2/service/kms v1.22.2 h1:jwmtdM1/l1DRNy5jQrrYpsQm8zwetkgeqhAqefDr1yI= -github.com/aws/aws-sdk-go-v2/service/kms v1.22.2/go.mod h1:aNfh11Smy55o65PB3MyKbkM8BFyFUcZmj1k+4g8eNfg= -github.com/aws/aws-sdk-go-v2/service/s3 v1.36.0 h1:lEmQ1XSD9qLk+NZXbgvLJI/IiTz7OIR2TYUTFH25EI4= -github.com/aws/aws-sdk-go-v2/service/s3 v1.36.0/go.mod h1:aVbf0sko/TsLWHx30c/uVu7c62+0EAJ3vbxaJga0xCw= -github.com/aws/aws-sdk-go-v2/service/sso v1.12.12 h1:nneMBM2p79PGWBQovYO/6Xnc2ryRMw3InnDJq1FHkSY= -github.com/aws/aws-sdk-go-v2/service/sso v1.12.12/go.mod h1:HuCOxYsF21eKrerARYO6HapNeh9GBNq7fius2AcwodY= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.12 h1:2qTR7IFk7/0IN/adSFhYu9Xthr0zVFTgBrmPldILn80= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.12/go.mod h1:E4VrHCPzmVB/KFXtqBGKb3c8zpbNBgKe3fisDNLAW5w= -github.com/aws/aws-sdk-go-v2/service/sts v1.19.2 h1:XFJ2Z6sNUUcAz9poj+245DMkrHE4h2j5I9/xD50RHfE= -github.com/aws/aws-sdk-go-v2/service/sts v1.19.2/go.mod h1:dp0yLPsLBOi++WTxzCjA/oZqi6NPIhoR+uF7GeMU9eg= -github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8= -github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/aws/aws-sdk-go-v2 v1.20.1 h1:rZBf5DWr7YGrnlTK4kgDQGn1ltqOg5orCYb/UhOFZkg= +github.com/aws/aws-sdk-go-v2 v1.20.1/go.mod h1:NU06lETsFm8fUC6ZjhgDpVBcGZTFQ6XM+LZWZxMI4ac= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.12 h1:lN6L3LrYHeZ6xCxaIYtoWCx4GMLk4nRknsh29OMSqHY= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.12/go.mod h1:TDCkEAkMTXxTs0oLBGBKpBZbk3NLh8EvAfF0Q3x8/0c= +github.com/aws/aws-sdk-go-v2/config v1.18.33 h1:JKcw5SFxFW/rpM4mOPjv0VQ11E2kxW13F3exWOy7VZU= +github.com/aws/aws-sdk-go-v2/config v1.18.33/go.mod h1:hXO/l9pgY3K5oZJldamP0pbZHdPqqk+4/maa7DSD3cA= +github.com/aws/aws-sdk-go-v2/credentials v1.13.32 h1:lIH1eKPcCY1ylR4B6PkBGRWMHO3aVenOKJHWiS4/G2w= +github.com/aws/aws-sdk-go-v2/credentials v1.13.32/go.mod h1:lL8U3v/Y79YRG69WlAho0OHIKUXCyFvSXaIvfo81sls= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.8 h1:DK/9C+UN/X+1+Wm8pqaDksQr2tSLzq+8X1/rI/ZxKEQ= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.8/go.mod h1:ce7BgLQfYr5hQFdy67oX2svto3ufGtm6oBvmsHScI1Q= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.77 h1:oWSNL9oQy+do911sXpJyIc2J7RiUrbm9BecyaGy1wHo= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.77/go.mod h1:xvOdc97VpScJqB10YAI8r/cKuU7d9Ls/as03KROO2qY= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.38 h1:c8ed/T9T2K5I+h/JzmF5tpI46+OODQ74dzmdo+QnaMg= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.38/go.mod h1:qggunOChCMu9ZF/UkAfhTz25+U2rLVb3ya0Ua6TTfCA= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.32 h1:hNeAAymUY5gu11WrrmFb3CVIp9Dar9hbo44yzzcQpzA= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.32/go.mod h1:0ZXSqrty4FtQ7p8TEuRde/SZm9X05KT18LAUlR40Ln0= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.39 h1:fc0ukRAiP1syoSGZYu+DaE+FulSYhTiJ8WpVu5jElU4= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.39/go.mod h1:WLAW8PT7+JhjZfLSWe7WEJaJu0GNo0cKc2Zyo003RBs= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.1 h1:vUh7dBFNS3oFCtVv6CiYKh5hP9ls8+kIpKLeFruIBLk= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.1/go.mod h1:sFMeinkhj/SZKQM8BxtvNtSPjJEo0Xrz+w3g2e4FSKI= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.13 h1:iV/W5OMBys+66OeXJi/7xIRrKZNsu0ylsLGu+6nbmQE= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.13/go.mod h1:ReJb6xYmtGyu9KoFtRreWegbN9dZqvZIIv4vWnhcsyI= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.33 h1:QviNkc+vGSuEHx8P+pVNKOdWLXBPIwMFv7p0fphgE4U= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.33/go.mod h1:fABTUmOrAgAalG2i9WJpjBvlnk7UK8YmnYaxN+Q2CwE= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.32 h1:dGAseBFEYxth10V23b5e2mAS+tX7oVbfYHD6dnDdAsg= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.32/go.mod h1:4jwAWKEkCR0anWk5+1RbfSg1R5Gzld7NLiuaq5bTR/Y= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.1 h1:PT6PBCycRwhpEW5hJnRiceCeoWJ+r3bdgXtV+VKG7Pk= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.1/go.mod h1:TqoxCLwT2nrxrBGA+z7t6OWM7LBkgRckK3gOjYE+7JA= +github.com/aws/aws-sdk-go-v2/service/kms v1.24.2 h1:I2ximKQ1xcMEOP1a4Dy2g/lCgqOTpHG/0Fpx2luA6QE= +github.com/aws/aws-sdk-go-v2/service/kms v1.24.2/go.mod h1:RwNGVcn98yGMXThTfLwa/+COSUXJ1opCiIETNxP4GNc= +github.com/aws/aws-sdk-go-v2/service/s3 v1.38.2 h1:v346f1h8sUBKXnEbrv43L37MTBlFHyKXQPIZHNAaghA= +github.com/aws/aws-sdk-go-v2/service/s3 v1.38.2/go.mod h1:cwCATiyNrXK9P2FsWdZ89g9mpsYv2rhk0UA/KByl5fY= +github.com/aws/aws-sdk-go-v2/service/sso v1.13.2 h1:A2RlEMo4SJSwbNoUUgkxTAEMduAy/8wG3eB2b2lP4gY= +github.com/aws/aws-sdk-go-v2/service/sso v1.13.2/go.mod h1:ju+nNXUunfIFamXUIZQiICjnO/TPlOmWcYhZcSy7xaE= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.2 h1:OJELEgyaT2kmaBGZ+myyZbTTLobfe3ox3FSh5eYK9Qs= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.2/go.mod h1:ubDBBaDFs1GHijSOTi8ljppML15GLG0HxhILtbjNNYQ= +github.com/aws/aws-sdk-go-v2/service/sts v1.21.2 h1:ympg1+Lnq33XLhcK/xTG4yZHPs1Oyxu+6DEWbl7qOzA= +github.com/aws/aws-sdk-go-v2/service/sts v1.21.2/go.mod h1:FQ/DQcOfESELfJi5ED+IPPAjI5xC6nxtSolVVB773jM= +github.com/aws/smithy-go v1.14.1 h1:EFKMUmH/iHMqLiwoEDx2rRjRQpI1YCn5jTysoaDujFs= +github.com/aws/smithy-go v1.14.1/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= diff --git a/kms/keysource.go b/kms/keysource.go index 833f5ccd9..09a26a326 100644 --- a/kms/keysource.go +++ b/kms/keysource.go @@ -19,8 +19,8 @@ import ( "github.com/aws/aws-sdk-go-v2/credentials" "github.com/aws/aws-sdk-go-v2/service/kms" "github.com/aws/aws-sdk-go-v2/service/sts" - "github.com/sirupsen/logrus" "github.com/getsops/sops/v3/logging" + "github.com/sirupsen/logrus" ) const ( From f10b437e8291394d76c1ce7a708aa17df6a364c4 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Sat, 12 Aug 2023 01:30:13 +0200 Subject: [PATCH 008/135] gcpkms: update GCP related dependencies While also updating the deprecated API module to `cloud.google.com/go/kms/apiv1/kmspb`. Signed-off-by: Hidde Beydals --- gcpkms/keysource.go | 2 +- go.mod | 33 ++++++++++++----------- go.sum | 65 +++++++++++++++++++++++---------------------- 3 files changed, 51 insertions(+), 49 deletions(-) diff --git a/gcpkms/keysource.go b/gcpkms/keysource.go index da8a8fa59..b4ebbff3e 100644 --- a/gcpkms/keysource.go +++ b/gcpkms/keysource.go @@ -10,9 +10,9 @@ import ( "time" kms "cloud.google.com/go/kms/apiv1" + "cloud.google.com/go/kms/apiv1/kmspb" "github.com/sirupsen/logrus" "google.golang.org/api/option" - kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1" "google.golang.org/grpc" "github.com/getsops/sops/v3/logging" diff --git a/go.mod b/go.mod index 2dde2acaf..8c32af13d 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/getsops/sops/v3 go 1.19 require ( - cloud.google.com/go/kms v1.12.1 + cloud.google.com/go/kms v1.15.1 cloud.google.com/go/storage v1.31.0 filippo.io/age v1.1.1 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.1 @@ -33,24 +33,24 @@ require ( github.com/stretchr/testify v1.8.4 github.com/urfave/cli v1.22.14 go.mozilla.org/gopgagent v0.0.0-20170926210634-4d7ea76ff71a - golang.org/x/crypto v0.10.0 - golang.org/x/net v0.11.0 - golang.org/x/sys v0.9.0 - golang.org/x/term v0.9.0 - google.golang.org/api v0.129.0 - google.golang.org/genproto v0.0.0-20230629202037-9506855d4529 - google.golang.org/genproto/googleapis/rpc v0.0.0-20230629202037-9506855d4529 - google.golang.org/grpc v1.56.1 + golang.org/x/crypto v0.12.0 + golang.org/x/net v0.14.0 + golang.org/x/sys v0.11.0 + golang.org/x/term v0.11.0 + google.golang.org/api v0.136.0 + google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5 + google.golang.org/genproto/googleapis/rpc v0.0.0-20230807174057-1744710a1577 + google.golang.org/grpc v1.57.0 google.golang.org/protobuf v1.31.0 gopkg.in/ini.v1 v1.67.0 gopkg.in/yaml.v3 v3.0.1 ) require ( - cloud.google.com/go v0.110.2 // indirect - cloud.google.com/go/compute v1.19.3 // indirect + cloud.google.com/go v0.110.6 // indirect + cloud.google.com/go/compute v1.23.0 // indirect cloud.google.com/go/compute/metadata v0.2.3 // indirect - cloud.google.com/go/iam v1.1.0 // indirect + cloud.google.com/go/iam v1.1.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect @@ -87,7 +87,7 @@ require ( github.com/google/s2a-go v0.1.4 // indirect github.com/google/uuid v1.3.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect - github.com/googleapis/gax-go/v2 v2.11.0 // indirect + github.com/googleapis/gax-go/v2 v2.12.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-hclog v1.2.1 // indirect @@ -118,13 +118,14 @@ require ( github.com/xeipuuv/gojsonschema v1.2.0 // indirect go.opencensus.io v0.24.0 // indirect golang.org/x/mod v0.9.0 // indirect - golang.org/x/oauth2 v0.9.0 // indirect - golang.org/x/text v0.10.0 // indirect + golang.org/x/oauth2 v0.11.0 // indirect + golang.org/x/sync v0.3.0 // indirect + golang.org/x/text v0.12.0 // indirect golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect golang.org/x/tools v0.7.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5 // indirect gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect ) diff --git a/go.sum b/go.sum index 93be05035..a32e2c841 100644 --- a/go.sum +++ b/go.sum @@ -1,15 +1,15 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.110.2 h1:sdFPBr6xG9/wkBbfhmUz/JmZC7X6LavQgcrVINrKiVA= -cloud.google.com/go v0.110.2/go.mod h1:k04UEeEtb6ZBRTv3dZz4CeJC3jKGxyhl0sAiVVquxiw= -cloud.google.com/go/compute v1.19.3 h1:DcTwsFgGev/wV5+q8o2fzgcHOaac+DKGC91ZlvpsQds= -cloud.google.com/go/compute v1.19.3/go.mod h1:qxvISKp/gYnXkSAD1ppcSOveRAmzxicEv/JlizULFrI= +cloud.google.com/go v0.110.6 h1:8uYAkj3YHTP/1iwReuHPxLSbdcyc+dSBbzFMrVwDR6Q= +cloud.google.com/go v0.110.6/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI= +cloud.google.com/go/compute v1.23.0 h1:tP41Zoavr8ptEqaW6j+LQOnyBBhO7OkOMAGrgLopTwY= +cloud.google.com/go/compute v1.23.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= -cloud.google.com/go/iam v1.1.0 h1:67gSqaPukx7O8WLLHMa0PNs3EBGd2eE4d+psbO/CO94= -cloud.google.com/go/iam v1.1.0/go.mod h1:nxdHjaKfCr7fNYx/HJMM8LgiMugmveWlkatear5gVyk= -cloud.google.com/go/kms v1.12.1 h1:xZmZuwy2cwzsocmKDOPu4BL7umg8QXagQx6fKVmf45U= -cloud.google.com/go/kms v1.12.1/go.mod h1:c9J991h5DTl+kg7gi3MYomh12YEENGrf48ee/N/2CDM= +cloud.google.com/go/iam v1.1.1 h1:lW7fzj15aVIXYHREOqjRBV9PsH0Z6u8Y46a1YGvQP4Y= +cloud.google.com/go/iam v1.1.1/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU= +cloud.google.com/go/kms v1.15.1 h1:HUC3fAoepH3RpcQXiJhXWWYizjQ5r7YjI7SO9ZbHf9s= +cloud.google.com/go/kms v1.15.1/go.mod h1:c9J991h5DTl+kg7gi3MYomh12YEENGrf48ee/N/2CDM= cloud.google.com/go/storage v1.31.0 h1:+S3LjjEN2zZ+L5hOwj4+1OkGCsLVe0NzpXKQ1pSdTCI= cloud.google.com/go/storage v1.31.0/go.mod h1:81ams1PrhW16L4kF7qg+4mTq7SRs5HsbDTM0bWvrwJ0= filippo.io/age v1.1.1 h1:pIpO7l151hCnQ4BdyBujnGP2YlUo0uj6sAVNHGBvXHg= @@ -186,8 +186,8 @@ github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/enterprise-certificate-proxy v0.2.5 h1:UR4rDjcgpgEnqpIEvkiqTYKBCKLNmlge2eVjoZfySzM= github.com/googleapis/enterprise-certificate-proxy v0.2.5/go.mod h1:RxW0N9901Cko1VOCW3SXCpWP+mlIEkk2tP7jnHy9a3w= -github.com/googleapis/gax-go/v2 v2.11.0 h1:9V9PWXEsWnPpQhu/PeQIkS4eGzMlTLGgt80cUUI8Ki4= -github.com/googleapis/gax-go/v2 v2.11.0/go.mod h1:DxmR61SGKkGLa2xigwuZIQpkCI2S5iydzRfb3peWZJI= +github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas= +github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU= github.com/goware/prefixer v0.0.0-20160118172347-395022866408 h1:Y9iQJfEqnN3/Nce9cOegemcy/9Ai5k3huT6E80F3zaw= github.com/goware/prefixer v0.0.0-20160118172347-395022866408/go.mod h1:PE1ycukgRPJ7bJ9a1fdfQ9j8i/cEcRAoLZzbxYpNB/s= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= @@ -334,8 +334,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= -golang.org/x/crypto v0.10.0 h1:LKqV2xt9+kDzSTfOhx4FrkEBcMrAgHSYgzywV9zcGmM= -golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I= +golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk= +golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= @@ -365,12 +365,12 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= -golang.org/x/net v0.11.0 h1:Gi2tvZIJyBtO9SDr1q9h5hEQCp/4L2RQ+ar0qjx2oNU= -golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ= +golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14= +golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.9.0 h1:BPpt2kU7oMRq3kCHAA1tbSEshXRw1LpG2ztgDwrzuAs= -golang.org/x/oauth2 v0.9.0/go.mod h1:qYgFZaFiu6Wg24azG8bdV52QJXJGbZzIIsRCdVKzbLw= +golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU= +golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -380,6 +380,7 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E= +golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -411,15 +412,15 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s= -golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM= +golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= -golang.org/x/term v0.9.0 h1:GRRCnKYhdQrD8kfRAdQ6Zcw1P0OcELxGLKJvtjVMZ28= -golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo= +golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0= +golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -429,8 +430,8 @@ golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.10.0 h1:UpjohKhiEgNc0CSauXmwYftY1+LlaC75SJwh0SgCX58= -golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc= +golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.0.0-20220609170525-579cf78fd858 h1:Dpdu/EMxGMFgq0CeYMh4fazTD2vtlZRYE7wyynxJb9U= golang.org/x/time v0.0.0-20220609170525-579cf78fd858/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -452,8 +453,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -google.golang.org/api v0.129.0 h1:2XbdjjNfFPXQyufzQVwPf1RRnHH8Den2pfNE2jw7L8w= -google.golang.org/api v0.129.0/go.mod h1:dFjiXlanKwWE3612X97llhsoI36FAoIiRj3aTl5b/zE= +google.golang.org/api v0.136.0 h1:e/6enzUE1s4tGPa6Q3ZYShKTtvRc+1Jq0rrafhppmOs= +google.golang.org/api v0.136.0/go.mod h1:XtJfF+V2zgUxelOn5Zs3kECtluMxneJG8ZxUTlLNTPA= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= @@ -462,12 +463,12 @@ google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoA google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20230629202037-9506855d4529 h1:9JucMWR7sPvCxUFd6UsOUNmA5kCcWOfORaT3tpAsKQs= -google.golang.org/genproto v0.0.0-20230629202037-9506855d4529/go.mod h1:xZnkP7mREFX5MORlOPEzLMr+90PPZQ2QWzrVTWfAq64= -google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc h1:kVKPf/IiYSBWEWtkIn6wZXwWGCnLKcC8oWfZvXjsGnM= -google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230629202037-9506855d4529 h1:DEH99RbiLZhMxrpEJCZ0A+wdTe0EOgou/poSLx9vWf4= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230629202037-9506855d4529/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= +google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5 h1:L6iMMGrtzgHsWofoFcihmDEMYeDR9KN/ThbPWGrh++g= +google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5/go.mod h1:oH/ZOT02u4kWEp7oYBGYFFkCdKS/uYR9Z7+0/xuuFp8= +google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5 h1:nIgk/EEq3/YlnmVVXVnm14rC2oxgs1o0ong4sD/rd44= +google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5/go.mod h1:5DZzOUPCLYL3mNkQ0ms0F3EuUNZ7py1Bqeq6sxzI7/Q= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230807174057-1744710a1577 h1:wukfNtZmZUurLN/atp2hiIeTKn7QJWIQdHzqmsOnAOk= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230807174057-1744710a1577/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= @@ -476,8 +477,8 @@ google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTp google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= -google.golang.org/grpc v1.56.1 h1:z0dNfjIl0VpaZ9iSVjA6daGatAYwPGstTjt5vkRMFkQ= -google.golang.org/grpc v1.56.1/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= +google.golang.org/grpc v1.57.0 h1:kfzNeI/klCGD2YPMUlaGNT3pxvYfga7smW3Vth8Zsiw= +google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= From f1d8a45afcc3069c23d363cf146e1a1baebad140 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Sat, 12 Aug 2023 01:41:06 +0200 Subject: [PATCH 009/135] azkv: update dependencies - github.com/Azure/azure-sdk-for-go/sdk/azcore to v1.7.0 - github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys to v1.0.0 This includes dealing with some breaking changes, which should be the last ones for the foreseeable future as they tagged it as the first MAJOR. Signed-off-by: Hidde Beydals --- azkv/keysource.go | 10 +++++----- azkv/keysource_integration_test.go | 10 +++++----- go.mod | 6 +++--- go.sum | 12 ++++++------ 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/azkv/keysource.go b/azkv/keysource.go index d32b880c3..6222adc4e 100644 --- a/azkv/keysource.go +++ b/azkv/keysource.go @@ -16,7 +16,7 @@ import ( "github.com/Azure/azure-sdk-for-go/sdk/azcore" "github.com/Azure/azure-sdk-for-go/sdk/azcore/to" "github.com/Azure/azure-sdk-for-go/sdk/azidentity" - "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys" + "github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys" "github.com/sirupsen/logrus" "github.com/getsops/sops/v3/logging" @@ -127,8 +127,8 @@ func (key *MasterKey) Encrypt(dataKey []byte) error { return fmt.Errorf("failed to construct Azure Key Vault client to encrypt data: %w", err) } - resp, err := c.Encrypt(context.Background(), key.Name, key.Version, azkeys.KeyOperationsParameters{ - Algorithm: to.Ptr(azkeys.JSONWebKeyEncryptionAlgorithmRSAOAEP256), + resp, err := c.Encrypt(context.Background(), key.Name, key.Version, azkeys.KeyOperationParameters{ + Algorithm: to.Ptr(azkeys.EncryptionAlgorithmRSAOAEP256), Value: dataKey, }, nil) if err != nil { @@ -182,8 +182,8 @@ func (key *MasterKey) Decrypt() ([]byte, error) { return nil, fmt.Errorf("failed to construct Azure Key Vault client to decrypt data: %w", err) } - resp, err := c.Decrypt(context.Background(), key.Name, key.Version, azkeys.KeyOperationsParameters{ - Algorithm: to.Ptr(azkeys.JSONWebKeyEncryptionAlgorithmRSAOAEP256), + resp, err := c.Decrypt(context.Background(), key.Name, key.Version, azkeys.KeyOperationParameters{ + Algorithm: to.Ptr(azkeys.EncryptionAlgorithmRSAOAEP256), Value: rawEncryptedKey, }, nil) if err != nil { diff --git a/azkv/keysource_integration_test.go b/azkv/keysource_integration_test.go index 50e9641b7..fa6382263 100644 --- a/azkv/keysource_integration_test.go +++ b/azkv/keysource_integration_test.go @@ -11,7 +11,7 @@ import ( "github.com/Azure/azure-sdk-for-go/sdk/azcore" "github.com/Azure/azure-sdk-for-go/sdk/azcore/to" "github.com/Azure/azure-sdk-for-go/sdk/azidentity" - "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys" + "github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys" "github.com/stretchr/testify/assert" ) @@ -50,8 +50,8 @@ func TestMasterKey_Decrypt(t *testing.T) { c, err := azkeys.NewClient(key.VaultURL, key.tokenCredential, nil) assert.NoError(t, err) - resp, err := c.Encrypt(context.Background(), key.Name, key.Version, azkeys.KeyOperationsParameters{ - Algorithm: to.Ptr(azkeys.JSONWebKeyEncryptionAlgorithmRSAOAEP256), + resp, err := c.Encrypt(context.Background(), key.Name, key.Version, azkeys.KeyOperationParameters{ + Algorithm: to.Ptr(azkeys.EncryptionAlgorithmRSAOAEP256), Value: data, }, nil) assert.NoError(t, err) @@ -101,8 +101,8 @@ func createTestKMSKeyIfNotExists() (*MasterKey, error) { } if err != nil { createResp, err := c.CreateKey(context.TODO(), key.Name, azkeys.CreateKeyParameters{ - Kty: to.Ptr(azkeys.JSONWebKeyTypeRSA), - KeyOps: to.SliceOfPtrs(azkeys.JSONWebKeyOperationEncrypt, azkeys.JSONWebKeyOperationDecrypt), + Kty: to.Ptr(azkeys.KeyTypeRSA), + KeyOps: to.SliceOfPtrs(azkeys.KeyOperationEncrypt, azkeys.KeyOperationDecrypt), }, nil) if err != nil { return nil, err diff --git a/go.mod b/go.mod index 8c32af13d..4ddad8b24 100644 --- a/go.mod +++ b/go.mod @@ -6,9 +6,9 @@ require ( cloud.google.com/go/kms v1.15.1 cloud.google.com/go/storage v1.31.0 filippo.io/age v1.1.1 - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.1 + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 - github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 + github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.0 github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec github.com/aws/aws-sdk-go-v2 v1.20.1 github.com/aws/aws-sdk-go-v2/config v1.18.33 @@ -52,7 +52,7 @@ require ( cloud.google.com/go/compute/metadata v0.2.3 // indirect cloud.google.com/go/iam v1.1.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect - github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0 // indirect github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect github.com/Microsoft/go-winio v0.6.0 // indirect diff --git a/go.sum b/go.sum index a32e2c841..2bced74f6 100644 --- a/go.sum +++ b/go.sum @@ -14,16 +14,16 @@ cloud.google.com/go/storage v1.31.0 h1:+S3LjjEN2zZ+L5hOwj4+1OkGCsLVe0NzpXKQ1pSdT cloud.google.com/go/storage v1.31.0/go.mod h1:81ams1PrhW16L4kF7qg+4mTq7SRs5HsbDTM0bWvrwJ0= filippo.io/age v1.1.1 h1:pIpO7l151hCnQ4BdyBujnGP2YlUo0uj6sAVNHGBvXHg= filippo.io/age v1.1.1/go.mod h1:l03SrzDUrBkdBx8+IILdnn2KZysqQdbEBUQ4p3sqEQE= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.1 h1:SEy2xmstIphdPwNBUi7uhvjyjhVKISfwjfOJmuy7kg4= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.1/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.0 h1:8q4SaHjFsClSvuVne0ID/5Ka8u3fcIHyqkLjcFpNRHQ= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.0/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 h1:vcYCAze6p19qBW7MhZybIsqD8sMV8js0NyQM8JDnVtg= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0/go.mod h1:OQeznEEkTZ9OrhHJoDD8ZDq51FHgXjqtP9z6bEwBq9U= github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY= github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM= -github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 h1:m/sWOGCREuSBqg2htVQTBY8nOZpyajYztF0vUvSZTuM= -github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0/go.mod h1:Pu5Zksi2KrU7LPbZbNINx6fuVrUp/ffvpxdDj+i8LeE= -github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 h1:FbH3BbSb4bvGluTesZZ+ttN/MDsnMmQP36OSnDuSXqw= -github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1/go.mod h1:9V2j0jn9jDEkCkv8w/bKTNppX/d0FVA1ud77xCIP4KA= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.0 h1:yfJe15aSwEQ6Oo6J+gdfdulPNoZ3TEhmbhLIoxZcA+U= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.0/go.mod h1:Q28U+75mpCaSCDowNEmhIo/rmgdkqmkmzI7N6TGR4UY= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0 h1:T028gtTPiYt/RMUfs8nVsAL7FDQrfLlrm/NnRG/zcC4= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0/go.mod h1:cw4zVQgBby0Z5f2v0itn6se2dDP17nTjbZFXW5uPyHA= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 h1:OBhqkivkhkMqLPymWEppkm7vgPQY2XsHoEkaMQ0AdZY= From 1ba02bd759a4c82c8b6aa56df9aff3cf90cc6479 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Sat, 12 Aug 2023 12:14:04 +0200 Subject: [PATCH 010/135] docs: update Azure default credential chain info Signed-off-by: Hidde Beydals --- README.rst | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.rst b/README.rst index e188351c8..76c6d71d7 100644 --- a/README.rst +++ b/README.rst @@ -248,10 +248,11 @@ which tries several authentication methods, in this order: i. Service Principal with Client Secret ii. Service Principal with Certificate iii. User with username and password + iv. Configuration for multi-tenant applications -2. `Managed Identity credentials `_ -3. `Azure CLI credentials `_ - +2. `Workload Identity credentials `_ +3. `Managed Identity credentials `_ +4. `Azure CLI credentials `_ For example, you can use a Service Principal with the following environment variables: From 031182739037f5a5dba1d2ecd74f1dfb473b4a9e Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 11 Jul 2023 23:32:37 +0200 Subject: [PATCH 011/135] release: outline release logic using GoReleaser This adds the base for releasing using GoReleaser going forward in a backwards compatible manner, which means: - Publishing of artifacts in the same formats as previous releases - Publishing of RPM and deb artifacts in the same formats as previous releases (although the metadata may need a bit of tweaking) In addition, it includes: - SBOM inclusion per binary artifact It still needs work around: - Artifact signing - SLSA compliance - Docker images - GitHub release - Changelog generation - GitHub Action workflow Signed-off-by: Hidde Beydals --- .gitignore | 3 +- .goreleaser.yaml | 114 +++++++++++++++++++++++++++++++++++++++++++++ Makefile | 6 +-- version/version.go | 2 +- 4 files changed, 120 insertions(+), 5 deletions(-) create mode 100644 .goreleaser.yaml diff --git a/.gitignore b/.gitignore index d7e97440f..de453ba26 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ -target +dist/ +target/ Cargo.lock vendor/ coverage.txt diff --git a/.goreleaser.yaml b/.goreleaser.yaml new file mode 100644 index 000000000..58167f6a5 --- /dev/null +++ b/.goreleaser.yaml @@ -0,0 +1,114 @@ +# yaml-language-server: $schema=https://goreleaser.com/static/schema.json + +project_name: sops + +# xref: https://goreleaser.com/customization/build/ +builds: + - id: binary-linux + main: ./cmd/sops + # Specially crafted to ensure compatibility with release artifacts < v3.8.0. + binary: "{{ .ProjectName }}-{{ .Version }}.{{ .Os }}.{{ .Arch }}" + flags: + - -v + - -trimpath + ldflags: + - -s + - -w + - -X "go.mozilla.org/sops/v3/version.Version={{ .Version }}" + env: + - CGO_ENABLED=0 + goos: + - linux + goarch: + - amd64 + - arm64 + # Modified timestamp on the binary, set to ensure reproducible builds. + mod_timestamp: "{{ .CommitTimestamp }}" + + - id: binary-darwin + main: ./cmd/sops + # Specially crafted to ensure compatibility with release artifacts < v3.8.0. + binary: "{{ .ProjectName }}-{{ .Version }}.{{ .Os }}.{{ .Arch }}" + flags: + - -v + - -trimpath + ldflags: + - -s + - -w + - -X "go.mozilla.org/sops/v3/version.Version={{ .Version }}" + env: + - CGO_ENABLED=0 + goos: + - darwin + goarch: + - amd64 + - arm64 + # Modified timestamp on the binary, set to ensure reproducible builds. + mod_timestamp: "{{ .CommitTimestamp }}" + + - id: binary-windows + main: ./cmd/sops + # Specially crafted to ensure compatibility with release artifacts < v3.8.0. + binary: "{{ .ProjectName }}-{{ .Version }}" + flags: + - -v + - -trimpath + ldflags: + - -s + - -w + - -X "go.mozilla.org/sops/v3/version.Version={{ .Version }}" + env: + - CGO_ENABLED=0 + goos: + - windows + goarch: + - amd64 + # Modified timestamp on the binary, set to ensure reproducible builds. + mod_timestamp: "{{ .CommitTimestamp }}" + +# xref: https://goreleaser.com/customization/universalbinaries/ +universal_binaries: + - ids: + - binary-darwin + # Specially crafted to ensure compatibility with release artifacts < v3.8.0. + # Before v3.8.0, this used to be _just_ the AMD64 binary. + name_template: '{{ .ProjectName }}-{{ .Version }}.darwin' + replace: false + +# xref: https://goreleaser.com/customization/nfpm/ +nfpms: + - id: deb + package_name: '{{ .ProjectName }}' + file_name_template: '{{ .ConventionalFileName }}' + vendor: SOPS (Secret OPerationS) project + homepage: https://github.com/getsops/sops + maintainer: SOPS maintainers + description: Simple and flexible tool for managing secrets + license: MPL-2.0 + formats: + - deb + - rpm + +# xref: https://goreleaser.com/customization/checksum/ +checksum: + name_template: "{{ .ProjectName }}-{{ .Version }}.checksums.txt" + algorithm: sha256 + ids: + - binary-linux + - binary-darwin + - binary-windows + +# xref: https://goreleaser.com/customization/snapshots/ +snapshot: + name_template: "{{ incpatch .Version }}-dev-{{ .ShortCommit }}" + +# xref: https://goreleaser.com/customization/archive/#disable-archiving +archives: + - format: binary + +# xref: https://goreleaser.com/customization/sbom/ +sboms: + - id: binary-sbom + artifacts: binary + documents: + - "${artifact}.spdx.sbom.json" diff --git a/Makefile b/Makefile index 32f06f737..ee0b5831f 100644 --- a/Makefile +++ b/Makefile @@ -2,9 +2,9 @@ # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. -PROJECT := github.com/getsops/sops/v3 -GO := GOPROXY=https://proxy.golang.org go -GOLINT := golint +PROJECT := github.com/getsops/sops/v3 +GO := GOPROXY=https://proxy.golang.org go +GOLINT := golint all: test vet generate install functional-tests origin-build: test vet generate install functional-tests-all diff --git a/version/version.go b/version/version.go index db73522a9..0527b5255 100644 --- a/version/version.go +++ b/version/version.go @@ -11,7 +11,7 @@ import ( ) // Version represents the value of the current semantic version -const Version = "3.7.3" +var Version = "3.7.3" // PrintVersion handles the version command for sops func PrintVersion(c *cli.Context) { From 45121cf02ff94e614afbc20e798e9ee33ed76d6f Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Sun, 30 Jul 2023 22:51:18 +0200 Subject: [PATCH 012/135] release: configure build of Docker images GoReleaser requires specifically crafted Dockerfiles as the build context is dynamically constructed. For more information, refer to https://goreleaser.com/errors/docker-build/#do and other documentation around Docker image templates and manifests. Signed-off-by: Hidde Beydals --- .goreleaser.yaml | 100 +++++++++++++++++++++++++++++++++---- .release/Dockerfile | 16 ++++++ .release/alpine.Dockerfile | 13 +++++ 3 files changed, 120 insertions(+), 9 deletions(-) create mode 100644 .release/Dockerfile create mode 100644 .release/alpine.Dockerfile diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 58167f6a5..04d704d4e 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -12,9 +12,9 @@ builds: - -v - -trimpath ldflags: - - -s - - -w - - -X "go.mozilla.org/sops/v3/version.Version={{ .Version }}" + - > + -extldflags "-static" -s -w + -X "go.mozilla.org/sops/v3/version.Version={{ .Version }}" env: - CGO_ENABLED=0 goos: @@ -33,9 +33,9 @@ builds: - -v - -trimpath ldflags: - - -s - - -w - - -X "go.mozilla.org/sops/v3/version.Version={{ .Version }}" + - > + -extldflags "-static" -s -w + -X "go.mozilla.org/sops/v3/version.Version={{ .Version }}" env: - CGO_ENABLED=0 goos: @@ -54,9 +54,9 @@ builds: - -v - -trimpath ldflags: - - -s - - -w - - -X "go.mozilla.org/sops/v3/version.Version={{ .Version }}" + - > + -extldflags "-static" -s -w + -X "go.mozilla.org/sops/v3/version.Version={{ .Version }}" env: - CGO_ENABLED=0 goos: @@ -112,3 +112,85 @@ sboms: artifacts: binary documents: - "${artifact}.spdx.sbom.json" + +# xref: https://goreleaser.com/customization/docker/ +dockers: + - image_templates: + - 'getsops/sops:{{ .Version }}-amd64' + use: buildx + goos: linux + goarch: amd64 + ids: + - binary-linux + dockerfile: .release/Dockerfile + build_flag_templates: + - "--pull" + - "--platform=linux/amd64" + - "--label=org.opencontainers.image.created={{ .Date }}" + - "--label=org.opencontainers.image.name={{ .ProjectName }}" + - "--label=org.opencontainers.image.revision={{ .FullCommit }}" + - "--label=org.opencontainers.image.version={{ .Version }}" + - "--label=org.opencontainers.image.source={{ .GitURL }}" + + - image_templates: + - 'getsops/sops:{{ .Version }}-arm64' + use: buildx + goos: linux + goarch: arm64 + ids: + - binary-linux + dockerfile: .release/Dockerfile + build_flag_templates: + - "--pull" + - "--platform=linux/arm64" + - "--label=org.opencontainers.image.created={{ .Date }}" + - "--label=org.opencontainers.image.name={{ .ProjectName }}" + - "--label=org.opencontainers.image.revision={{ .FullCommit }}" + - "--label=org.opencontainers.image.version={{ .Version }}" + - "--label=org.opencontainers.image.source={{ .GitURL }}" + + - image_templates: + - 'getsops/sops:{{ .Version }}-alpine-amd64' + use: buildx + goos: linux + goarch: amd64 + ids: + - binary-linux + dockerfile: .release/alpine.Dockerfile + build_flag_templates: + - "--pull" + - "--platform=linux/amd64" + - "--label=org.opencontainers.image.created={{ .Date }}" + - "--label=org.opencontainers.image.name={{ .ProjectName }}" + - "--label=org.opencontainers.image.revision={{ .FullCommit }}" + - "--label=org.opencontainers.image.version={{ .Version }}" + - "--label=org.opencontainers.image.source={{ .GitURL }}" + + - image_templates: + - 'getsops/sops:{{ .Version }}-alpine-arm64' + use: buildx + goos: linux + goarch: arm64 + ids: + - binary-linux + dockerfile: .release/alpine.Dockerfile + build_flag_templates: + - "--pull" + - "--platform=linux/arm64" + - "--label=org.opencontainers.image.created={{ .Date }}" + - "--label=org.opencontainers.image.name={{ .ProjectName }}" + - "--label=org.opencontainers.image.revision={{ .FullCommit }}" + - "--label=org.opencontainers.image.version={{ .Version }}" + - "--label=org.opencontainers.image.source={{ .GitURL }}" + +# xref: https://goreleaser.com/customization/docker_manifest/ +docker_manifests: + - name_template: 'getsops/sops:{{ .Version }}' + image_templates: + - 'getsops/sops:{{ .Version }}-amd64' + - 'getsops/sops:{{ .Version }}-arm64' + + - name_template: 'getsops/sops:{{ .Version }}-alpine' + image_templates: + - 'getsops/sops:{{ .Version }}-alpine-amd64' + - 'getsops/sops:{{ .Version }}-alpine-arm64' diff --git a/.release/Dockerfile b/.release/Dockerfile new file mode 100644 index 000000000..b85ef1005 --- /dev/null +++ b/.release/Dockerfile @@ -0,0 +1,16 @@ +FROM debian:bookworm-slim + +RUN apt-get update && apt-get install --no-install-recommends -y \ + awscli \ + azure-cli \ + curl \ + gnupg \ + vim \ + && rm -rf /var/lib/apt/lists/* + +ENV EDITOR vim + +# Glob pattern to match the binary for the current architecture +COPY sops* /usr/local/bin/sops + +ENTRYPOINT ["sops"] diff --git a/.release/alpine.Dockerfile b/.release/alpine.Dockerfile new file mode 100644 index 000000000..eaffdfd73 --- /dev/null +++ b/.release/alpine.Dockerfile @@ -0,0 +1,13 @@ +FROM alpine:3.18 + +RUN apk --no-cache add \ + ca-certificates \ + vim \ + && update-ca-certificates + +ENV EDITOR vim + +# Glob pattern to match the binary for the current architecture +COPY sops* /usr/local/bin/sops + +ENTRYPOINT ["sops"] From 3faed48811416d45ea73bd7c898c756ac3125982 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Mon, 31 Jul 2023 00:05:46 +0200 Subject: [PATCH 013/135] release: sign checksum file and images with cosign Signed-off-by: Hidde Beydals --- .goreleaser.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 04d704d4e..c5d00f92d 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -113,6 +113,18 @@ sboms: documents: - "${artifact}.spdx.sbom.json" +# xref: https://goreleaser.com/customization/sign/ +signs: + - cmd: cosign + certificate: "${artifact}.pem" + artifacts: checksum + args: + - "sign-blob" + - "--output-certificate=${certificate}" + - "--output-signature=${signature}" + - '${artifact}' + - "--yes" + # xref: https://goreleaser.com/customization/docker/ dockers: - image_templates: @@ -194,3 +206,13 @@ docker_manifests: image_templates: - 'getsops/sops:{{ .Version }}-alpine-amd64' - 'getsops/sops:{{ .Version }}-alpine-arm64' + +# xref: https://goreleaser.com/customization/docker_sign/ +docker_signs: + - cmd: cosign + artifacts: all + output: true + args: + - "sign" + - "${artifact}@${digest}" + - "--yes" From 553e1ee96b66c88a4ca70ed08d70f9d3bd2be915 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Mon, 31 Jul 2023 22:49:37 +0200 Subject: [PATCH 014/135] release: enable GitHub native note generation This appears to be the best option at present to e.g. celebrate new contributors while also allowing things to be grouped by pull request label. For more information, see xrefs in patch. Signed-off-by: Hidde Beydals --- .goreleaser.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index c5d00f92d..375670a05 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -216,3 +216,9 @@ docker_signs: - "sign" - "${artifact}@${digest}" - "--yes" + +# xref: https://goreleaser.com/customization/changelog/ +changelog: + # xref: https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes#configuration-options + # xref: https://docs.github.com/en/free-pro-team@latest/rest/releases/releases?apiVersion=2022-11-28#generate-release-notes-content-for-a-release + use: github-native From 156c6ceb40088671836aa248a4e4094596f400dd Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Mon, 31 Jul 2023 23:32:44 +0200 Subject: [PATCH 015/135] release: add release configuration This still needs further configuration of at least the `.header` field. Signed-off-by: Hidde Beydals --- .goreleaser.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 375670a05..f3c455671 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -222,3 +222,7 @@ changelog: # xref: https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes#configuration-options # xref: https://docs.github.com/en/free-pro-team@latest/rest/releases/releases?apiVersion=2022-11-28#generate-release-notes-content-for-a-release use: github-native + +# xref: https://goreleaser.com/customization/release/ +release: + prerelease: auto From aac7fae2e617e11d9994134a317cac7acb4e41e8 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Mon, 31 Jul 2023 23:44:12 +0200 Subject: [PATCH 016/135] release: publish container images to GHCR and Quay Signed-off-by: Hidde Beydals --- .goreleaser.yaml | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index f3c455671..ee87b0edc 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -80,7 +80,7 @@ nfpms: - id: deb package_name: '{{ .ProjectName }}' file_name_template: '{{ .ConventionalFileName }}' - vendor: SOPS (Secret OPerationS) project + vendor: CNCF SOPS homepage: https://github.com/getsops/sops maintainer: SOPS maintainers description: Simple and flexible tool for managing secrets @@ -128,7 +128,8 @@ signs: # xref: https://goreleaser.com/customization/docker/ dockers: - image_templates: - - 'getsops/sops:{{ .Version }}-amd64' + - 'ghcr.io/getsops/sops:{{ .Version }}-amd64' + - 'quay.io/getsops/sops:{{ .Version }}-amd64' use: buildx goos: linux goarch: amd64 @@ -145,7 +146,8 @@ dockers: - "--label=org.opencontainers.image.source={{ .GitURL }}" - image_templates: - - 'getsops/sops:{{ .Version }}-arm64' + - 'ghcr.io/getsops/sops:{{ .Version }}-arm64' + - 'quay.io/getsops/sops:{{ .Version }}-arm64' use: buildx goos: linux goarch: arm64 @@ -162,7 +164,8 @@ dockers: - "--label=org.opencontainers.image.source={{ .GitURL }}" - image_templates: - - 'getsops/sops:{{ .Version }}-alpine-amd64' + - 'ghcr.io/getsops/sops:{{ .Version }}-alpine-amd64' + - 'quay.io/getsops/sops:{{ .Version }}-alpine-amd64' use: buildx goos: linux goarch: amd64 @@ -179,7 +182,8 @@ dockers: - "--label=org.opencontainers.image.source={{ .GitURL }}" - image_templates: - - 'getsops/sops:{{ .Version }}-alpine-arm64' + - 'ghcr.io/getsops/sops:{{ .Version }}-alpine-arm64' + - 'quay.io/getsops/sops:{{ .Version }}-alpine-arm64' use: buildx goos: linux goarch: arm64 @@ -197,15 +201,25 @@ dockers: # xref: https://goreleaser.com/customization/docker_manifest/ docker_manifests: - - name_template: 'getsops/sops:{{ .Version }}' + - name_template: 'ghcr.io/getsops/sops:{{ .Version }}' image_templates: - - 'getsops/sops:{{ .Version }}-amd64' - - 'getsops/sops:{{ .Version }}-arm64' + - 'ghcr.io/getsops/sops:{{ .Version }}-amd64' + - 'ghcr.io/getsops/sops:{{ .Version }}-arm64' - - name_template: 'getsops/sops:{{ .Version }}-alpine' + - name_template: 'ghcr.io/getsops/sops:{{ .Version }}-alpine' image_templates: - - 'getsops/sops:{{ .Version }}-alpine-amd64' - - 'getsops/sops:{{ .Version }}-alpine-arm64' + - 'ghcr.io/getsops/sops:{{ .Version }}-alpine-amd64' + - 'ghcr.io/getsops/sops:{{ .Version }}-alpine-arm64' + + - name_template: 'quay.io/getsops/sops:{{ .Version }}' + image_templates: + - 'quay.io/getsops/sops:{{ .Version }}-amd64' + - 'quay.io/getsops/sops:{{ .Version }}-arm64' + + - name_template: 'quay.io/getsops/sops:{{ .Version }}-alpine' + image_templates: + - 'quay.io/getsops/sops:{{ .Version }}-alpine-amd64' + - 'quay.io/getsops/sops:{{ .Version }}-alpine-arm64' # xref: https://goreleaser.com/customization/docker_sign/ docker_signs: From 10335165c6526f45dccbbb2a417d1a230b711daa Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 1 Aug 2023 00:37:37 +0200 Subject: [PATCH 017/135] release: download modules and check dirty state Plus a tiny nit to not have to pass `--yes` to Cosign everywhere, and enabling of size reporting. Signed-off-by: Hidde Beydals --- .goreleaser.yaml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index ee87b0edc..bc0911851 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -2,6 +2,19 @@ project_name: sops +# xref: https://goreleaser.com/customization/hooks/ +before: + hooks: + - go mod download + - /usr/bin/env bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi' + +# xref: https://goreleaser.com/customization/env/ +env: + - COSIGN_YES=true + +# xref: https://goreleaser.com/customization/reportsizes/ +report_sizes: true + # xref: https://goreleaser.com/customization/build/ builds: - id: binary-linux @@ -123,7 +136,6 @@ signs: - "--output-certificate=${certificate}" - "--output-signature=${signature}" - '${artifact}' - - "--yes" # xref: https://goreleaser.com/customization/docker/ dockers: @@ -229,7 +241,6 @@ docker_signs: args: - "sign" - "${artifact}@${digest}" - - "--yes" # xref: https://goreleaser.com/customization/changelog/ changelog: From 7de7a6e754eecc9ab7ca15a6c160f02510ef2aae Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 1 Aug 2023 00:38:27 +0200 Subject: [PATCH 018/135] build: outline new release workflow Signed-off-by: Hidde Beydals --- .github/workflows/release.yml | 109 +++++++++++++++++----------------- 1 file changed, 55 insertions(+), 54 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3f1d5f41a..86089a662 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,64 +2,65 @@ name: Release on: push: - tags: - - "v*" + tags: [ 'v*' ] + +permissions: + contents: read jobs: - tagged-release: - name: "Tagged Release" + release: runs-on: ubuntu-latest + permissions: + contents: write # for creating the GitHub release. + id-token: write # for creating OIDC tokens for signing. + packages: write # for pushing and signing container images. + steps: - - name: Install dependencies - run: sudo apt-get update && sudo apt-get install git ruby rpm -y - - name: Install fpm - run: gem install fpm || sudo gem install fpm - - name: Set up Go 1.20 - uses: actions/setup-go@v3 + - name: Checkout + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + + - name: Unshallow clone for tags + run: git fetch --prune --unshallow --tags + + - name: Setup Go + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: - go-version: '1.20' - id: go - - name: Check out code into the Go module directory - uses: actions/checkout@v3 - - name: Go vendor - run: go mod vendor - - name: Make release directory - run: mkdir dist - - name: Build deb and rpm - run: make deb-pkg rpm-pkg - - name: Move deb and rpm into release directory - run: mv *.deb *.rpm dist/ - - name: Set RELEASE_VERSION - run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV - - name: Set RELEASE_NUMBER - run: echo "RELEASE_NUMBER=$(echo $RELEASE_VERSION | cut -c2-)" >> $GITHUB_ENV - - name: Build linux amd64 binary - run: GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.linux.amd64 github.com/getsops/sops/v3/cmd/sops && cp dist/sops-${{ env.RELEASE_VERSION }}.linux.amd64 dist/sops-${{ env.RELEASE_VERSION }}.linux - - name: Build linux arm64 binary - run: GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.linux.arm64 github.com/getsops/sops/v3/cmd/sops - - name: Build darwin amd64 binary - run: GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.darwin.amd64 github.com/getsops/sops/v3/cmd/sops - - name: Copy darwin amd64 to have a no-architecture labeled version - run: cp dist/sops-${{ env.RELEASE_VERSION }}.darwin.amd64 dist/sops-${{ env.RELEASE_VERSION }}.darwin - - name: Build darwin arm64 binary - run: GOOS=darwin GOARCH=arm64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.darwin.arm64 github.com/getsops/sops/v3/cmd/sops - - name: Build windows binary - run: GOOS=windows CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.exe github.com/getsops/sops/v3/cmd/sops - - name: Create release - uses: "mozilla/action-automatic-releases@latest" + go-version: 1.20.x + cache-dependency-path: | + **/go.sum + **/go.mod + + - name: Setup Syft + uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 + + - name: Setup Cosign + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1 + + - name: Setup QEMU + uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 + + - name: Setup Docker Buildx + uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 + + - name: Login to GitHub Container Registry + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Login to Quay.io + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 + with: + registry: quay.io + username: ${{ secrets.QUAY_BOT_USERNAME }} + password: ${{ secrets.QUAY_BOT_TOKEN }} + + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0 with: - repo_token: "${{ secrets.GITHUB_TOKEN }}" - prerelease: true - files: | - dist/sops-${{ env.RELEASE_VERSION }}.exe - dist/sops-${{ env.RELEASE_VERSION }}.darwin.amd64 - dist/sops-${{ env.RELEASE_VERSION }}.darwin.arm64 - dist/sops-${{ env.RELEASE_VERSION }}.darwin - dist/sops-${{ env.RELEASE_VERSION }}.linux.amd64 - dist/sops-${{ env.RELEASE_VERSION }}.linux.arm64 - dist/sops-${{ env.RELEASE_VERSION }}.linux - dist/sops_${{ env.RELEASE_NUMBER }}_amd64.deb - dist/sops_${{ env.RELEASE_NUMBER }}_arm64.deb - dist/sops-${{ env.RELEASE_NUMBER }}-1.x86_64.rpm - dist/sops-${{ env.RELEASE_NUMBER }}-1.aarch64.rpm + version: latest + args: release --clean + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 4403a77fa4f88345a350caade4f1bacfa058cf4f Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 3 Aug 2023 00:28:28 +0200 Subject: [PATCH 019/135] release: remove stale Make target utilities These are no longer required, as they are now handled by GoReleaser or no longer under our control (`make_download_page.sh`). Signed-off-by: Hidde Beydals --- Makefile | 61 -------------------------------------------------------- 1 file changed, 61 deletions(-) diff --git a/Makefile b/Makefile index ee0b5831f..ad73eeb94 100644 --- a/Makefile +++ b/Makefile @@ -48,65 +48,4 @@ functional-tests-all: $(GO) build -o functional-tests/sops github.com/getsops/sops/v3/cmd/sops cd functional-tests && cargo test && cargo test -- --ignored -# Creates variables during target re-definition. Basically this block allows the particular variables to be used in the final target -build-deb-%: OS = $(word 1,$(subst -, ,$*)) -build-deb-%: ARCH = $(word 2,$(subst -, ,$*)) -build-deb-%: FPM_ARCH = $(word 3,$(subst -, ,$*)) -# Poor-mans function with parameters being split out from the variable part of it's name -build-deb-%: - rm -rf tmppkg - mkdir -p tmppkg/usr/local/bin - GOOS=$(OS) GOARCH="$(ARCH)" CGO_ENABLED=0 go build -mod vendor -o tmppkg/usr/local/bin/sops github.com/getsops/sops/v3/cmd/sops - fpm -C tmppkg -n sops --license MPL2.0 --vendor mozilla \ - --description "Sops is an editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP." \ - -m "AJ Bahnken " \ - --url https://github.com/getsops/sops/v3 \ - --architecture $(FPM_ARCH) \ - -v "$$(grep '^const Version' version/version.go |cut -d \" -f 2)" \ - -s dir -t deb . - -# Create .deb packages for multiple architectures -deb-pkg: vendor build-deb-linux-amd64-x86_64 build-deb-linux-arm64-arm64 - -# Creates variables during target re-definition. Basically this block allows the particular variables to be used in the final target -build-rpm-%: OS = $(word 1,$(subst -, ,$*)) -build-rpm-%: ARCH = $(word 2,$(subst -, ,$*)) -build-rpm-%: FPM_ARCH = $(word 3,$(subst -, ,$*)) -# Poor-mans function with parameters being split out from the variable part of it's name -build-rpm-%: - rm -rf tmppkg - mkdir -p tmppkg/usr/local/bin - GOOS=$(OS) GOARCH="$(ARCH)" CGO_ENABLED=0 go build -mod vendor -o tmppkg/usr/local/bin/sops github.com/getsops/sops/v3/cmd/sops - fpm -C tmppkg -n sops --license MPL2.0 --vendor mozilla \ - --description "Sops is an editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP." \ - -m "AJ Bahnken " \ - --url https://github.com/getsops/sops/v3 \ - --architecture $(FPM_ARCH) \ - --rpm-os $(OS) \ - -v "$$(grep '^const Version' version/version.go |cut -d \" -f 2)" \ - -s dir -t rpm . - -# Create .rpm packages for multiple architectures -rpm-pkg: vendor build-rpm-linux-amd64-x86_64 build-rpm-linux-arm64-arm64 - -dmg-pkg: install -ifneq ($(OS),darwin) - echo 'you must be on MacOS and set OS=darwin on the make command line to build an OSX package' -else - rm -rf tmppkg - mkdir -p tmppkg/usr/local/bin - cp $$GOPATH/bin/sops tmppkg/usr/local/bin/ - fpm -C tmppkg -n sops --license MPL2.0 --vendor mozilla \ - --description "Sops is an editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP." \ - -m "Mozilla Security " \ - --url https://github.com/getsops/sops/v3 \ - --architecture x86_64 \ - -v "$$(grep '^const Version' version/version.go |cut -d \" -f 2)" \ - -s dir -t osxpkg \ - --osxpkg-identifier-prefix org.mozilla.sops \ - -p tmppkg/sops-$$(git describe --abbrev=0 --tags).pkg . - hdiutil makehybrid -hfs -hfs-volume-name "Mozilla Sops" \ - -o tmppkg/sops-$$(git describe --abbrev=0 --tags).dmg tmpdmg -endif - .PHONY: all test generate clean vendor functional-tests From 82892630c9de465b321c06b853411110c9326e5f Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 3 Aug 2023 23:09:04 +0200 Subject: [PATCH 020/135] release: small nits Signed-off-by: Hidde Beydals --- .goreleaser.yaml | 96 +++++++++++++++++++++++++++--------------------- 1 file changed, 54 insertions(+), 42 deletions(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index bc0911851..7adc91927 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -10,6 +10,8 @@ before: # xref: https://goreleaser.com/customization/env/ env: + - CGO_ENABLED=0 + - PKG=github.com/getsops/sops/v3/version - COSIGN_YES=true # xref: https://goreleaser.com/customization/reportsizes/ @@ -27,7 +29,7 @@ builds: ldflags: - > -extldflags "-static" -s -w - -X "go.mozilla.org/sops/v3/version.Version={{ .Version }}" + -X {{ .Env.PKG }}.Version={{ .Version }}" env: - CGO_ENABLED=0 goos: @@ -48,9 +50,7 @@ builds: ldflags: - > -extldflags "-static" -s -w - -X "go.mozilla.org/sops/v3/version.Version={{ .Version }}" - env: - - CGO_ENABLED=0 + -X {{ .Env.PKG }}.Version={{ .Version }} goos: - darwin goarch: @@ -69,9 +69,7 @@ builds: ldflags: - > -extldflags "-static" -s -w - -X "go.mozilla.org/sops/v3/version.Version={{ .Version }}" - env: - - CGO_ENABLED=0 + -X {{ .Env.PKG }}.Version={{ .Version }} goos: - windows goarch: @@ -94,7 +92,7 @@ nfpms: package_name: '{{ .ProjectName }}' file_name_template: '{{ .ConventionalFileName }}' vendor: CNCF SOPS - homepage: https://github.com/getsops/sops + homepage: https://github.com/{{ .Env.GITHUB_REPOSITORY }} maintainer: SOPS maintainers description: Simple and flexible tool for managing secrets license: MPL-2.0 @@ -102,22 +100,28 @@ nfpms: - deb - rpm -# xref: https://goreleaser.com/customization/checksum/ -checksum: - name_template: "{{ .ProjectName }}-{{ .Version }}.checksums.txt" - algorithm: sha256 - ids: - - binary-linux - - binary-darwin - - binary-windows - # xref: https://goreleaser.com/customization/snapshots/ snapshot: name_template: "{{ incpatch .Version }}-dev-{{ .ShortCommit }}" # xref: https://goreleaser.com/customization/archive/#disable-archiving archives: - - format: binary + - id: binaries + format: binary + builds: + - binary-linux + - binary-darwin + - binary-windows + # NB: Binaries already have unique names to ensure compatibility with + # release artifacts < v3.8.0. + name_template: "{{ .Binary }}" + +# xref: https://goreleaser.com/customization/checksum/ +checksum: + name_template: "{{ .ProjectName }}-{{ .Version }}.checksums.txt" + algorithm: sha256 + ids: + - binaries # xref: https://goreleaser.com/customization/sbom/ sboms: @@ -129,19 +133,23 @@ sboms: # xref: https://goreleaser.com/customization/sign/ signs: - cmd: cosign - certificate: "${artifact}.pem" artifacts: checksum + signature: "${artifact}.sig" + certificate: "${artifact}.pem" args: - "sign-blob" - - "--output-certificate=${certificate}" - - "--output-signature=${signature}" - - '${artifact}' + - "--output-signature" + - "${artifact}.sig" + - "--output-certificate" + - "${artifact}.pem" + - "${artifact}" + output: true # xref: https://goreleaser.com/customization/docker/ dockers: - image_templates: - - 'ghcr.io/getsops/sops:{{ .Version }}-amd64' - - 'quay.io/getsops/sops:{{ .Version }}-amd64' + - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-amd64' + - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-amd64' use: buildx goos: linux goarch: amd64 @@ -158,8 +166,8 @@ dockers: - "--label=org.opencontainers.image.source={{ .GitURL }}" - image_templates: - - 'ghcr.io/getsops/sops:{{ .Version }}-arm64' - - 'quay.io/getsops/sops:{{ .Version }}-arm64' + - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-arm64' + - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-arm64' use: buildx goos: linux goarch: arm64 @@ -176,8 +184,8 @@ dockers: - "--label=org.opencontainers.image.source={{ .GitURL }}" - image_templates: - - 'ghcr.io/getsops/sops:{{ .Version }}-alpine-amd64' - - 'quay.io/getsops/sops:{{ .Version }}-alpine-amd64' + - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-alpine-amd64' + - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-alpine-amd64' use: buildx goos: linux goarch: amd64 @@ -194,8 +202,8 @@ dockers: - "--label=org.opencontainers.image.source={{ .GitURL }}" - image_templates: - - 'ghcr.io/getsops/sops:{{ .Version }}-alpine-arm64' - - 'quay.io/getsops/sops:{{ .Version }}-alpine-arm64' + - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-alpine-arm64' + - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-alpine-arm64' use: buildx goos: linux goarch: arm64 @@ -213,25 +221,25 @@ dockers: # xref: https://goreleaser.com/customization/docker_manifest/ docker_manifests: - - name_template: 'ghcr.io/getsops/sops:{{ .Version }}' + - name_template: 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}' image_templates: - - 'ghcr.io/getsops/sops:{{ .Version }}-amd64' - - 'ghcr.io/getsops/sops:{{ .Version }}-arm64' + - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-amd64' + - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-arm64' - - name_template: 'ghcr.io/getsops/sops:{{ .Version }}-alpine' + - name_template: 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-alpine' image_templates: - - 'ghcr.io/getsops/sops:{{ .Version }}-alpine-amd64' - - 'ghcr.io/getsops/sops:{{ .Version }}-alpine-arm64' + - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-alpine-amd64' + - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-alpine-arm64' - - name_template: 'quay.io/getsops/sops:{{ .Version }}' + - name_template: 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}' image_templates: - - 'quay.io/getsops/sops:{{ .Version }}-amd64' - - 'quay.io/getsops/sops:{{ .Version }}-arm64' + - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-amd64' + - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-arm64' - - name_template: 'quay.io/getsops/sops:{{ .Version }}-alpine' + - name_template: 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-alpine' image_templates: - - 'quay.io/getsops/sops:{{ .Version }}-alpine-amd64' - - 'quay.io/getsops/sops:{{ .Version }}-alpine-arm64' + - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-alpine-amd64' + - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-alpine-arm64' # xref: https://goreleaser.com/customization/docker_sign/ docker_signs: @@ -240,6 +248,10 @@ docker_signs: output: true args: - "sign" + - "-a" + - "GIT_SHA={{ .FullCommit }}" + - "-a" + - "GIT_TAG={{ .Tag }}" - "${artifact}@${digest}" # xref: https://goreleaser.com/customization/changelog/ From f59dd8ee058d775626b480299a43ebaeab7a2c12 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Fri, 4 Aug 2023 01:03:06 +0200 Subject: [PATCH 021/135] release: refactor backwards compatible artifacts Which in turn solves the generation of the checksum file. Signed-off-by: Hidde Beydals --- .goreleaser.yaml | 44 +++++++++++++++++++++++++++++++------------- 1 file changed, 31 insertions(+), 13 deletions(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 7adc91927..2f8df31b1 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -22,7 +22,7 @@ builds: - id: binary-linux main: ./cmd/sops # Specially crafted to ensure compatibility with release artifacts < v3.8.0. - binary: "{{ .ProjectName }}-{{ .Version }}.{{ .Os }}.{{ .Arch }}" + binary: "{{ .ProjectName }}" flags: - -v - -trimpath @@ -43,7 +43,7 @@ builds: - id: binary-darwin main: ./cmd/sops # Specially crafted to ensure compatibility with release artifacts < v3.8.0. - binary: "{{ .ProjectName }}-{{ .Version }}.{{ .Os }}.{{ .Arch }}" + binary: "{{ .ProjectName }}" flags: - -v - -trimpath @@ -62,7 +62,7 @@ builds: - id: binary-windows main: ./cmd/sops # Specially crafted to ensure compatibility with release artifacts < v3.8.0. - binary: "{{ .ProjectName }}-{{ .Version }}" + binary: "{{ .ProjectName }}" flags: - -v - -trimpath @@ -79,12 +79,16 @@ builds: # xref: https://goreleaser.com/customization/universalbinaries/ universal_binaries: - - ids: + - id: binary-darwin-universal + ids: - binary-darwin - # Specially crafted to ensure compatibility with release artifacts < v3.8.0. - # Before v3.8.0, this used to be _just_ the AMD64 binary. - name_template: '{{ .ProjectName }}-{{ .Version }}.darwin' + name_template: '{{ .ProjectName }}' + # We want to continue to ship individual binaries for darwin/amd64 and + # darwin/arm64. replace: false + # Modified timestamp on the binary, set to ensure reproducible builds. + # NB: Available in (unreleased) GoReleaser >=1.20.0. + # mod_timestamp: "{{ .CommitTimestamp }}" # xref: https://goreleaser.com/customization/nfpm/ nfpms: @@ -106,29 +110,43 @@ snapshot: # xref: https://goreleaser.com/customization/archive/#disable-archiving archives: - - id: binaries + - id: archive-unix format: binary builds: - binary-linux - binary-darwin + # NB: specifically crafted to ensure compatibility with release artifacts < v3.8.0. + name_template: '{{ .ProjectName }}-{{ .Version }}.{{ .Os }}.{{ .Arch }}' + - id: archive-windows + format: binary + builds: - binary-windows - # NB: Binaries already have unique names to ensure compatibility with - # release artifacts < v3.8.0. - name_template: "{{ .Binary }}" + # NB: specifically crafted to ensure compatibility with release artifacts < v3.8.0. + name_template: '{{ .ProjectName }}-{{ .Version }}' + - id: archive-darwin-universal + format: binary + builds: + - binary-darwin-universal + # NB: specifically crafted to ensure compatibility with release artifacts < v3.8.0. + # We can't bundle this with the other unix archive, because .Arch becomes "all". + # Before v3.8.0, this used to be _just_ the AMD64 binary. + name_template: '{{ .ProjectName }}-{{ .Version }}.darwin' # xref: https://goreleaser.com/customization/checksum/ checksum: name_template: "{{ .ProjectName }}-{{ .Version }}.checksums.txt" algorithm: sha256 ids: - - binaries + - archive-unix + - archive-windows + - archive-darwin-universal # xref: https://goreleaser.com/customization/sbom/ sboms: - id: binary-sbom artifacts: binary documents: - - "${artifact}.spdx.sbom.json" + - "{{ .ArtifactName }}.spdx.sbom.json" # xref: https://goreleaser.com/customization/sign/ signs: From 212c95d72889ecf0142d54c24aa1a93dd6ebe246 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Fri, 4 Aug 2023 01:42:03 +0200 Subject: [PATCH 022/135] release: extend timeout Signed-off-by: Hidde Beydals --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 86089a662..f2798a91e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -61,6 +61,6 @@ jobs: uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0 with: version: latest - args: release --clean + args: release --clean --timeout 1h env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From a98c47e8c2e5e8e569c405c0061acca057f840e6 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Fri, 4 Aug 2023 23:18:43 +0200 Subject: [PATCH 023/135] release: further improve build flags Signed-off-by: Hidde Beydals --- .goreleaser.yaml | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 2f8df31b1..d64add2c2 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -6,7 +6,6 @@ project_name: sops before: hooks: - go mod download - - /usr/bin/env bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi' # xref: https://goreleaser.com/customization/env/ env: @@ -21,17 +20,14 @@ report_sizes: true builds: - id: binary-linux main: ./cmd/sops - # Specially crafted to ensure compatibility with release artifacts < v3.8.0. binary: "{{ .ProjectName }}" flags: - - -v - -trimpath + - -mod=readonly ldflags: - > - -extldflags "-static" -s -w + -s -w -X {{ .Env.PKG }}.Version={{ .Version }}" - env: - - CGO_ENABLED=0 goos: - linux goarch: @@ -42,14 +38,13 @@ builds: - id: binary-darwin main: ./cmd/sops - # Specially crafted to ensure compatibility with release artifacts < v3.8.0. binary: "{{ .ProjectName }}" flags: - - -v - -trimpath + - -mod=readonly ldflags: - > - -extldflags "-static" -s -w + -s -w -X {{ .Env.PKG }}.Version={{ .Version }} goos: - darwin @@ -61,14 +56,14 @@ builds: - id: binary-windows main: ./cmd/sops - # Specially crafted to ensure compatibility with release artifacts < v3.8.0. binary: "{{ .ProjectName }}" flags: - - -v - -trimpath + - -buildmode=pie + - -mod=readonly ldflags: - > - -extldflags "-static" -s -w + -s -w -X {{ .Env.PKG }}.Version={{ .Version }} goos: - windows @@ -117,12 +112,14 @@ archives: - binary-darwin # NB: specifically crafted to ensure compatibility with release artifacts < v3.8.0. name_template: '{{ .ProjectName }}-{{ .Version }}.{{ .Os }}.{{ .Arch }}' + - id: archive-windows format: binary builds: - binary-windows # NB: specifically crafted to ensure compatibility with release artifacts < v3.8.0. name_template: '{{ .ProjectName }}-{{ .Version }}' + - id: archive-darwin-universal format: binary builds: From f5ce84e56853feaf10fd2b188715b368752c8358 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Fri, 4 Aug 2023 23:21:18 +0200 Subject: [PATCH 024/135] release: pin GoReleaser version Signed-off-by: Hidde Beydals --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f2798a91e..0aeeacfd3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -60,7 +60,7 @@ jobs: - name: Run GoReleaser uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0 with: - version: latest + version: 1.19.x args: release --clean --timeout 1h env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From d52cc765e629fcbed3facfe1c95dabda51040167 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Sat, 5 Aug 2023 01:03:41 +0200 Subject: [PATCH 025/135] release: artifact, SBOM and container provenance Signed-off-by: Hidde Beydals --- .github/workflows/release.yml | 149 ++++++++++++++++++++++++++++++++-- 1 file changed, 143 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0aeeacfd3..4aeb0f6d3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,16 +12,21 @@ jobs: runs-on: ubuntu-latest permissions: - contents: write # for creating the GitHub release. - id-token: write # for creating OIDC tokens for signing. - packages: write # for pushing and signing container images. + contents: write # For creating the GitHub release. + id-token: write # For creating OIDC tokens for signing. + packages: write # For pushing and signing container images. + + outputs: + artifact-subjects: "${{ steps.artifact-hashes.outputs.subjects }}" + package-subjects: "${{ steps.package-hashes.outputs.subjects }}" + sbom-subjects: "${{ steps.sbom-hashes.outputs.subjects }}" + container-subjects: "${{ steps.container-metadata.outputs.subjects }}" steps: - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - - name: Unshallow clone for tags - run: git fetch --prune --unshallow --tags + with: + fetch-depth: 0 - name: Setup Go uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 @@ -58,9 +63,141 @@ jobs: password: ${{ secrets.QUAY_BOT_TOKEN }} - name: Run GoReleaser + id: goreleaser uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0 with: version: 1.19.x args: release --clean --timeout 1h env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract artifact subjects + id: artifact-hashes + env: + ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}" + run: | + set -euo pipefail + sum_file=$(echo -E $ARTIFACTS | jq -r '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^(.*?):";"")') + echo "subjects=$(echo "$sum_file" | base64 -w0)" >> "$GITHUB_OUTPUT" + + - name: Extract package subjects + id: package-hashes + env: + ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}" + run: | + set -euo pipefail + + sum_file="$(mktemp)" + + mapfile -t file_paths < <(echo -E "$ARTIFACTS" | jq -r '.[] | select(.type=="Linux Package") | .path') + for f in "${file_paths[@]}"; do + file_name=$(basename "$f") + file_sum=$(sha256sum "$f" | awk '{print $1}') + echo "$file_sum $file_name" >> "$sum_file" + done + + echo "subjects=$(base64 -w0 < "$sum_file")" >> "$GITHUB_OUTPUT" + + - name: Extract SBOM subjects + id: sbom-hashes + env: + ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}" + run: | + set -euo pipefail + + sum_file="$(mktemp)" + + mapfile -t file_paths < <(echo -E "$ARTIFACTS" | jq -r '.[] | select(.type=="SBOM") | .path') + for f in "${file_paths[@]}"; do + file_name=$(basename "$f") + file_sum=$(sha256sum "$f" | awk '{print $1}') + echo "$file_sum $file_name" >> "$sum_file" + done + + echo "subjects=$(base64 -w0 < "$sum_file")" >> "$GITHUB_OUTPUT" + + - name: Extract container image subjects + id: container-metadata + env: + ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}" + run: | + image_list=$(echo -e "$ARTIFACTS" | jq -r '.[] | select(.type=="Docker Manifest") | {"image": (.name | sub("^.*?/"; "") | sub(":(.*)"; "")), "digest": .extra.Digest}') + echo "subjects=$(echo $image_list | jq -c -s 'unique_by(.digest) | {"include": .}')" >> "$GITHUB_OUTPUT" + + combine-subjects: + runs-on: ubuntu-latest + + needs: [ release ] + + outputs: + all-subjects: "${{ steps.combine-subjects.outputs.subjects }}" + + steps: + - name: Combine subjects + id: combine-subjects + env: + ARTIFACT_SUBJECTS: "${{ needs.release.outputs.artifact-subjects }}" + PACKAGE_SUBJECTS: "${{ needs.release.outputs.package-subjects }}" + SBOM_SUBJECTS: "${{ needs.release.outputs.sbom-subjects }}" + run: | + set -euo pipefail + + artifact_subjects=$(echo "$ARTIFACT_SUBJECTS" | base64 -d) + package_subjects=$(echo "$PACKAGE_SUBJECTS" | base64 -d) + sbom_subjects=$(echo "$SBOM_SUBJECTS" | base64 -d) + + all_subjects=$(echo -e "${artifact_subjects}\n${package_subjects}\n${sbom_subjects}\n" | sed '/^$/d') + + echo "subjects=$(echo "$all_subjects" | base64 -w0)" >> "$GITHUB_OUTPUT" + + assets-provenance: + needs: [ combine-subjects ] + + permissions: + actions: read # For detecting the GitHub Actions environment. + id-token: write # For creating OIDC tokens for signing. + contents: write # For adding assets to a release. + + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.8.0 + with: + base64-subjects: "${{ needs.combine-subjects.outputs.all-subjects }}" + upload-assets: true + provenance-name: "provenance.intoto.jsonl" + + ghcr-container-provenance: + needs: [ release ] + + permissions: + actions: read # For detecting the Github Actions environment. + id-token: write # For creating OIDC tokens for signing. + packages: write # For uploading attestations. + + strategy: + matrix: ${{ fromJSON(needs.release.outputs.container-subjects) }} + + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.8.0 + with: + image: ghcr.io/${{ matrix.image }} + digest: ${{ matrix.digest }} + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} + + quay-container-provenance: + needs: [ release ] + + permissions: + actions: read # For detecting the Github Actions environment. + id-token: write # For creating OIDC tokens for signing. + packages: write # For uploading attestations. + + strategy: + matrix: ${{ fromJSON(needs.release.outputs.container-subjects) }} + + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.8.0 + with: + image: quay.io/${{ matrix.image }} + digest: ${{ matrix.digest }} + secrets: + registry-username: ${{ secrets.QUAY_BOT_USERNAME }} + registry-password: ${{ secrets.QUAY_BOT_TOKEN }} From 1eed2ed698dd327d0088e5dee9c09a9234acd455 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Wed, 9 Aug 2023 00:59:16 +0200 Subject: [PATCH 026/135] release: backwards compatible tag fmt, changelog Signed-off-by: Hidde Beydals --- .goreleaser.yaml | 72 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 48 insertions(+), 24 deletions(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index d64add2c2..523055f34 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -163,8 +163,8 @@ signs: # xref: https://goreleaser.com/customization/docker/ dockers: - image_templates: - - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-amd64' - - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-amd64' + - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-amd64' + - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-amd64' use: buildx goos: linux goarch: amd64 @@ -181,8 +181,8 @@ dockers: - "--label=org.opencontainers.image.source={{ .GitURL }}" - image_templates: - - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-arm64' - - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-arm64' + - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-arm64' + - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-arm64' use: buildx goos: linux goarch: arm64 @@ -199,8 +199,8 @@ dockers: - "--label=org.opencontainers.image.source={{ .GitURL }}" - image_templates: - - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-alpine-amd64' - - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-alpine-amd64' + - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-alpine-amd64' + - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-alpine-amd64' use: buildx goos: linux goarch: amd64 @@ -217,8 +217,8 @@ dockers: - "--label=org.opencontainers.image.source={{ .GitURL }}" - image_templates: - - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-alpine-arm64' - - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-alpine-arm64' + - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-alpine-arm64' + - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-alpine-arm64' use: buildx goos: linux goarch: arm64 @@ -236,25 +236,25 @@ dockers: # xref: https://goreleaser.com/customization/docker_manifest/ docker_manifests: - - name_template: 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}' + - name_template: 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}' image_templates: - - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-amd64' - - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-arm64' + - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-amd64' + - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-arm64' - - name_template: 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-alpine' + - name_template: 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-alpine' image_templates: - - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-alpine-amd64' - - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-alpine-arm64' + - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-alpine-amd64' + - 'ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-alpine-arm64' - - name_template: 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}' + - name_template: 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}' image_templates: - - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-amd64' - - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-arm64' + - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-amd64' + - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-arm64' - - name_template: 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-alpine' + - name_template: 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-alpine' image_templates: - - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-alpine-amd64' - - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:{{ .Version }}-alpine-arm64' + - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-alpine-amd64' + - 'quay.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-alpine-arm64' # xref: https://goreleaser.com/customization/docker_sign/ docker_signs: @@ -263,10 +263,6 @@ docker_signs: output: true args: - "sign" - - "-a" - - "GIT_SHA={{ .FullCommit }}" - - "-a" - - "GIT_TAG={{ .Tag }}" - "${artifact}@${digest}" # xref: https://goreleaser.com/customization/changelog/ @@ -278,3 +274,31 @@ changelog: # xref: https://goreleaser.com/customization/release/ release: prerelease: auto + header: | + ## Container images + + Supported architectures: `linux/amd64` and `linux/arm64`. + + ### GitHub Container Registry + + - `ghrc.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}` + - `ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-alpine` + + ### Quay.io + + - `quay.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}` + - `quay.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-alpine` + + ### Verify container image signature + + The container images are signed with [Cosign](https://docs.sigstore.dev/cosign/overview/) using GitHub OIDC. To verify the signature of an image, run: + + ```shell + cosign verify ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }} \ + --certificate-identity-regexp=https://github.com/{{ .Env.GITHUB_REPOSITORY_OWNER }} \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com + ``` + + ### Verify container image provenance + + The container images include [SLSA provenance](https://slsa.dev/provenance/v0.2) attestations. For more information around the verification of this, please refer to the [`slsa-verifier` documentation](https://github.com/slsa-framework/slsa-verifier#containers). From 09f96e8656dabfd74b385f96215636668a49ae81 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Wed, 9 Aug 2023 01:27:35 +0200 Subject: [PATCH 027/135] release: further solve backwards compatible names Signed-off-by: Hidde Beydals --- .goreleaser.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 523055f34..83608f4c4 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -111,14 +111,14 @@ archives: - binary-linux - binary-darwin # NB: specifically crafted to ensure compatibility with release artifacts < v3.8.0. - name_template: '{{ .ProjectName }}-{{ .Version }}.{{ .Os }}.{{ .Arch }}' + name_template: '{{ .ProjectName }}-v{{ .Version }}.{{ .Os }}.{{ .Arch }}' - id: archive-windows format: binary builds: - binary-windows # NB: specifically crafted to ensure compatibility with release artifacts < v3.8.0. - name_template: '{{ .ProjectName }}-{{ .Version }}' + name_template: '{{ .ProjectName }}-v{{ .Version }}' - id: archive-darwin-universal format: binary @@ -127,11 +127,11 @@ archives: # NB: specifically crafted to ensure compatibility with release artifacts < v3.8.0. # We can't bundle this with the other unix archive, because .Arch becomes "all". # Before v3.8.0, this used to be _just_ the AMD64 binary. - name_template: '{{ .ProjectName }}-{{ .Version }}.darwin' + name_template: '{{ .ProjectName }}-v{{ .Version }}.darwin' # xref: https://goreleaser.com/customization/checksum/ checksum: - name_template: "{{ .ProjectName }}-{{ .Version }}.checksums.txt" + name_template: "{{ .ProjectName }}-v{{ .Version }}.checksums.txt" algorithm: sha256 ids: - archive-unix From 16ac13bf2980311633a25e064532444cd6887a29 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Wed, 9 Aug 2023 01:34:00 +0200 Subject: [PATCH 028/135] build: remove obsolete Dockerfiles These were only part of the release process, and now continue to exist in `.release/*`. Signed-off-by: Hidde Beydals --- .dockerignore | 3 --- Dockerfile | 10 ---------- Dockerfile.alpine | 17 ----------------- 3 files changed, 30 deletions(-) delete mode 100644 .dockerignore delete mode 100644 Dockerfile delete mode 100644 Dockerfile.alpine diff --git a/.dockerignore b/.dockerignore deleted file mode 100644 index a7d3e834d..000000000 --- a/.dockerignore +++ /dev/null @@ -1,3 +0,0 @@ -/.git -/Dockerfile -/Dockerfile.alpine diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 6db37f1fa..000000000 --- a/Dockerfile +++ /dev/null @@ -1,10 +0,0 @@ -FROM golang:1.20 - -COPY . /go/src/github.com/getsops/sops/v3 -WORKDIR /go/src/github.com/getsops/sops/v3 - -RUN CGO_ENABLED=1 make install -RUN apt-get update -RUN apt-get install -y vim python3-pip emacs -RUN pip install awscli -ENV EDITOR vim diff --git a/Dockerfile.alpine b/Dockerfile.alpine deleted file mode 100644 index 583a83ce0..000000000 --- a/Dockerfile.alpine +++ /dev/null @@ -1,17 +0,0 @@ -FROM golang:1.20-alpine3.18 AS builder - -RUN apk --no-cache add make - -COPY . /go/src/github.com/getsops/sops/v3 -WORKDIR /go/src/github.com/getsops/sops/v3 - -RUN CGO_ENABLED=1 make install - - -FROM alpine:3.18 - -RUN apk --no-cache add \ - vim ca-certificates -ENV EDITOR vim -COPY --from=builder /go/bin/sops /usr/local/bin/sops -ENTRYPOINT ["/usr/local/bin/sops"] From 47669efebb2cb2d9dab09c8af7dbca41245dfce8 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 10 Aug 2023 00:24:41 +0200 Subject: [PATCH 029/135] release: tweak signature and certificate filenames Signed-off-by: Hidde Beydals --- .goreleaser.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 83608f4c4..2f8d2b517 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -149,14 +149,14 @@ sboms: signs: - cmd: cosign artifacts: checksum - signature: "${artifact}.sig" - certificate: "${artifact}.pem" + signature: '{{ trimsuffix .Env.artifact ".txt" }}.sig' + certificate: '{{ trimsuffix .Env.artifact ".txt" }}.pem' args: - "sign-blob" - "--output-signature" - - "${artifact}.sig" + - "${signature}" - "--output-certificate" - - "${artifact}.pem" + - "${certificate}" - "${artifact}" output: true From 20d50c3e0f7833e6697ea8d536f34794ad85e161 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 10 Aug 2023 00:27:29 +0200 Subject: [PATCH 030/135] release: disable Go cache for workflow Signed-off-by: Hidde Beydals --- .github/workflows/release.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4aeb0f6d3..26f22eb21 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,9 +32,7 @@ jobs: uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: 1.20.x - cache-dependency-path: | - **/go.sum - **/go.mod + cache: false - name: Setup Syft uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 From 9aeb4179684b2d6b12a45f8a5ebb3f60015aff24 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 10 Aug 2023 00:44:04 +0200 Subject: [PATCH 031/135] release: improve release notes Signed-off-by: Hidde Beydals --- .goreleaser.yaml | 69 +++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 66 insertions(+), 3 deletions(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 2f8d2b517..b77cf56b3 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -275,9 +275,68 @@ changelog: release: prerelease: auto header: | - ## Container images + ## Installation - Supported architectures: `linux/amd64` and `linux/arm64`. + To install `{{ .ProjectName }}`, download one of the pre-built binaries provided for your platform from the artifacts attached to this release. + + For instance, if you are using Linux on an AMD64 architecture: + + ```shell + # Download the binary + curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-v{{ .Version }}.linux.amd64 + + # Move the binary in to your PATH + mv {{ .ProjectName }}-v{{ .Version }}.linux.amd64 /usr/local/bin/{{ .ProjectName }} + + # Make the binary executable + chmod +x /usr/local/bin/{{ .ProjectName }} + ``` + + ### Verify checksums file signature + + The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of this file, run the following commands: + + ```shell + # Download the checksums file, certificate and signature + curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-v{{ .Version }}.checksums.txt + curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-v{{ .Version }}.checksums.pem + curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-v{{ .Version }}.checksums.sig + + # Verify the checksums file + cosign verify-blob {{ .ProjectName }}-v{{ .Version }}.checksums.txt \ + --certificate {{ .ProjectName }}-v{{ .Version }}.checksums.pem \ + --signature {{ .ProjectName }}-v{{ .Version }}.checksums.sig \ + --certificate-identity-regexp=https://github.com/{{ .Env.GITHUB_REPOSITORY_OWNER }} \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com + ``` + + ### Verify binary integrity + + To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature: + + ```shell + # Verify the binary using the checksums file + sha256sum -c {{ .ProjectName }}-v{{ .Version }}.checksums.txt --ignore-missing + ``` + + ### Verify artifact provenance + + The [SLSA provenance](https://slsa.dev/provenance/v0.2) of the binaries, packages, and SBOMs can be found within the artifacts associated with this release. It is presented through an [in-toto](https://in-toto.io/) link metadata file named `provenance.intoto.jsonl`. To verify the provenance of an artifact, you can utilize the [`slsa-verifier`](https://github.com/slsa-framework/slsa-verifier#artifacts) tool: + + ```shell + # Download the metadata file + curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/provenance.intoto.jsonl + + # Verify the provenance of the artifact + slsa-verifier \ + --provenance-path provenance.intoto.jsonl \ + --source-uri github.com/{{ .Env.GITHUB_REPOSITORY }} \ + --source-tag {{ .Tag }} + ``` + + ## Container Images + + These container images are available for the following architectures: `linux/amd64` and `linux/arm64`. ### GitHub Container Registry @@ -291,7 +350,7 @@ release: ### Verify container image signature - The container images are signed with [Cosign](https://docs.sigstore.dev/cosign/overview/) using GitHub OIDC. To verify the signature of an image, run: + The container images are signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of an image, run the following command: ```shell cosign verify ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }} \ @@ -302,3 +361,7 @@ release: ### Verify container image provenance The container images include [SLSA provenance](https://slsa.dev/provenance/v0.2) attestations. For more information around the verification of this, please refer to the [`slsa-verifier` documentation](https://github.com/slsa-framework/slsa-verifier#containers). + + ## Software Bill of Materials + + The Software Bill of Materials (SBOM) for each binary is accessible within the artifacts enclosed with this release. It is presented as an [SPDX](https://spdx.dev/) JSON file, formatted as `.spdx.sbom.json`. From ba1e8837c56a6475386a35ad4d4a67ca1e00af3f Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Fri, 11 Aug 2023 00:10:14 +0200 Subject: [PATCH 032/135] release: remove DockerHub release util script As it has been replaced with GoReleaser. Signed-off-by: Hidde Beydals --- .gitignore | 2 +- bin/ci/deploy_dockerhub.sh | 33 --------------------------------- 2 files changed, 1 insertion(+), 34 deletions(-) delete mode 100755 bin/ci/deploy_dockerhub.sh diff --git a/.gitignore b/.gitignore index de453ba26..721fabef4 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,5 @@ +bin/ dist/ -target/ Cargo.lock vendor/ coverage.txt diff --git a/bin/ci/deploy_dockerhub.sh b/bin/ci/deploy_dockerhub.sh deleted file mode 100755 index 89a7dc310..000000000 --- a/bin/ci/deploy_dockerhub.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash - -# THIS IS MEANT TO BE RUN BY CI - -set -e -set +x - -# Usage: retry MAX CMD... -# Retry CMD up to MAX times. If it fails MAX times, returns failure. -# Example: retry 3 docker push "mozilla/sops:$TAG" -function retry() { - max=$1 - shift - count=1 - until "$@"; do - count=$((count + 1)) - if [[ $count -gt $max ]]; then - return 1 - fi - echo "$count / $max" - done - return 0 -} -if [[ "$DOCKER_DEPLOY" == "true" ]]; then - # configure docker creds - retry 3 docker login -u="$DOCKER_USERNAME" -p="$DOCKER_PASSWORD" - # docker tag and push git branch to dockerhub - if [ -n "$1" ]; then - retry 3 docker push "mozilla/sops:$1" || - (echo "Couldn't push mozilla/sops:$1" && false) - echo "Pushed mozilla/sops:$1" - fi -fi From 07f74b6f975486f4857c5a29be9694a9d9abc4f9 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Fri, 11 Aug 2023 00:10:59 +0200 Subject: [PATCH 033/135] build: add `release-snapshot` Make target This allows you to run the release locally, without publishing or signing, against the current state of the repository. There are some more improvements I would like to make to the `Makefile` e.g., the deprecation of `golint` and the introduction of a `help` target. But they are out of scope for the current things I am working on. Signed-off-by: Hidde Beydals --- Makefile | 41 +++++++++++++++++++++++++++++++++++------ 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index ad73eeb94..334bdcff8 100644 --- a/Makefile +++ b/Makefile @@ -2,11 +2,20 @@ # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. -PROJECT := github.com/getsops/sops/v3 -GO := GOPROXY=https://proxy.golang.org go -GOLINT := golint +PROJECT := github.com/getsops/sops/v3 +PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST)))) +GO := GOPROXY=https://proxy.golang.org go +GOLINT := golint +GITHUB_REPOSITORY ?= github.com/getsops/sops + +GORELEASER := $(PROJECT_DIR)/bin/goreleaser +GORELEASER_VERSION ?= v1.20.0 + +.PHONY: all all: test vet generate install functional-tests + +.PHONY: origin-build origin-build: test vet generate install functional-tests-all install: @@ -18,6 +27,7 @@ tag: all lint: $(GOLINT) $(PROJECT) +.PHONY: vendor vendor: $(GO) mod tidy $(GO) mod vendor @@ -25,6 +35,7 @@ vendor: vet: $(GO) vet $(PROJECT) +.PHONY: test test: vendor gpg --import pgp/sops_functional_tests_key.asc 2>&1 1>/dev/null || exit 0 ./test.sh @@ -32,20 +43,38 @@ test: vendor showcoverage: test $(GO) tool cover -html=coverage.out +.PHONY: generate generate: keyservice/keyservice.pb.go $(GO) generate %.pb.go: %.proto protoc --go_out=plugins=grpc:. $< +.PHONY: functional-tests functional-tests: $(GO) build -o functional-tests/sops github.com/getsops/sops/v3/cmd/sops cd functional-tests && cargo test -# Ignored tests are ones that require external services (e.g. AWS KMS) -# TODO: Once `--include-ignored` lands in rust stable, switch to that. +.PHONY: functional-tests-all functional-tests-all: $(GO) build -o functional-tests/sops github.com/getsops/sops/v3/cmd/sops + # Ignored tests are ones that require external services (e.g. AWS KMS) + # TODO: Once `--include-ignored` lands in rust stable, switch to that. cd functional-tests && cargo test && cargo test -- --ignored -.PHONY: all test generate clean vendor functional-tests +.PHONY: release-snapshot +release-snapshot: install-goreleaser + GITHUB_REPOSITORY=$(GITHUB_REPOSITORY) $(GORELEASER) release --clean --snapshot --skip-sign + +.PHONY: install-goreleaser +install-goreleaser: + $(call go-install-tool,$(GORELEASER),github.com/goreleaser/goreleaser@$(GORELEASER_VERSION),$(GORELEASER_VERSION)) + +# go-install-tool will 'go install' any package $2 and install it to $1. +define go-install-tool +@[ -f $(1)-$(3) ] || { \ +set -e ;\ +GOBIN=$$(dirname $(1)) go install $(2) ;\ +touch $(1)-$(3) ;\ +} +endef From 2dc75d9d295cbccd4822deef73b756b5d12b2ec8 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Fri, 11 Aug 2023 00:49:30 +0200 Subject: [PATCH 034/135] docs: briefly outline release procedure Signed-off-by: Hidde Beydals --- docs/release.md | 74 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 docs/release.md diff --git a/docs/release.md b/docs/release.md new file mode 100644 index 000000000..42207b35c --- /dev/null +++ b/docs/release.md @@ -0,0 +1,74 @@ +# Release procedure + +This document describes the procedure for releasing a new version of SOPS. It +is intended for maintainers of the project, but may be useful for anyone +interested in the release process. + +## Overview + +The release is performed by creating a signed tag for the release, and pushing +it to GitHub. This will automatically trigger a GitHub Actions workflow that +builds the binaries, packages, SBOMs, and other artifacts for the release +using [GoReleaser](https://goreleaser.com), and uploads them to GitHub. + +The configuration for GoReleaser is in the file +[`.goreleaser.yaml`](../.goreleaser.yaml). The configuration for the GitHub +Actions workflow is in the file +[`release.yml`](../.github/workflows/release.yml). + +This configuration is quite sophisticated, and ensures at least the following: + +- The release is built for multiple platforms and architectures, including + Linux, macOS, and Windows, and for both AMD64 and ARM64. +- The release includes multiple packages in Debian and RPM formats. +- For every binary, a corresponding SBOM is generated and published. +- For all binaries, a checksum file is generated and signed using + [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. +- Both Debian and Alpine Docker multi-arch images are built and pushed to GitHub + Container Registry and Quay.io. +- The container images are signed using + [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. +- [SLSA provenance](https://slsa.dev/provenance/v0.2) metadata is generated for + release artifacts and container images. + +## Preparation + +- [ ] Ensure that all changes intended for the release are merged into the + `main` branch. At present, this means that all pull requests attached to the + milestone for the release are merged. If there are any pull requests that + should not be included in the release, move them to a different milestone. +- [ ] Create a pull request to update the [`CHANGELOG.rst`](../CHANGELOG.rst) + file. This should include a summary of all changes since the last release, + including references to any relevant pull requests. +- [ ] In this same pull request, update the version number in `version/version.go` + to the new version number. +- [ ] Get approval for the pull request from at least one other maintainer, and + merge it into `main`. +- [ ] Ensure CI passes on the `main` branch. + +## Release + +- [ ] Ensure your local copy of the `main` branch is up-to-date: + + ```sh + git checkout main + git pull + ``` +- [ ] Create a **signed tag** for the release, using the following command: + + ```sh + git tag -s -m + ``` + + where `` is the version number of the release. The version number + should be in the form `vX.Y.Z`, where `X`, `Y`, and `Z` are integers. The + version number should be incremented according to + [semantic versioning](https://semver.org/). +- [ ] Push the tag to GitHub: + + ```sh + git push origin + ``` + +- [ ] Ensure the release is built successfully on GitHub Actions. This will + automatically create a release on GitHub. From 82f416343efbce0883adfeedeb60df3f16ecfdec Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Fri, 11 Aug 2023 00:51:16 +0200 Subject: [PATCH 035/135] release: update GoReleaser to 1.20.0 Which now allows us to set the `mod_timestamp` on universal binaries. Signed-off-by: Hidde Beydals --- .github/workflows/release.yml | 2 +- .goreleaser.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 26f22eb21..0b7168b02 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -64,7 +64,7 @@ jobs: id: goreleaser uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0 with: - version: 1.19.x + version: 1.20.x args: release --clean --timeout 1h env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.goreleaser.yaml b/.goreleaser.yaml index b77cf56b3..db54448d1 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -82,8 +82,8 @@ universal_binaries: # darwin/arm64. replace: false # Modified timestamp on the binary, set to ensure reproducible builds. - # NB: Available in (unreleased) GoReleaser >=1.20.0. - # mod_timestamp: "{{ .CommitTimestamp }}" + # NB: Available in GoReleaser >=1.20.0. + mod_timestamp: "{{ .CommitTimestamp }}" # xref: https://goreleaser.com/customization/nfpm/ nfpms: From 24ccda0d6ef9cf561d0c9c091ac3ca811b9a9e51 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Fri, 11 Aug 2023 23:12:44 +0200 Subject: [PATCH 036/135] release: further improvements based on feedback - Describe difference between Debian (slim) and Alpine image - Add `-o text` flag to `cosign verify` example to print readable text instead of JSON blob - Fix typo in one of the `ghcr.io` domains - Use correct OCI annotation for image "title" Signed-off-by: Hidde Beydals --- .goreleaser.yaml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index db54448d1..db87d598b 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -175,7 +175,7 @@ dockers: - "--pull" - "--platform=linux/amd64" - "--label=org.opencontainers.image.created={{ .Date }}" - - "--label=org.opencontainers.image.name={{ .ProjectName }}" + - "--label=org.opencontainers.image.title={{ .ProjectName }}" - "--label=org.opencontainers.image.revision={{ .FullCommit }}" - "--label=org.opencontainers.image.version={{ .Version }}" - "--label=org.opencontainers.image.source={{ .GitURL }}" @@ -193,7 +193,7 @@ dockers: - "--pull" - "--platform=linux/arm64" - "--label=org.opencontainers.image.created={{ .Date }}" - - "--label=org.opencontainers.image.name={{ .ProjectName }}" + - "--label=org.opencontainers.image.title={{ .ProjectName }}" - "--label=org.opencontainers.image.revision={{ .FullCommit }}" - "--label=org.opencontainers.image.version={{ .Version }}" - "--label=org.opencontainers.image.source={{ .GitURL }}" @@ -211,7 +211,7 @@ dockers: - "--pull" - "--platform=linux/amd64" - "--label=org.opencontainers.image.created={{ .Date }}" - - "--label=org.opencontainers.image.name={{ .ProjectName }}" + - "--label=org.opencontainers.image.title={{ .ProjectName }}" - "--label=org.opencontainers.image.revision={{ .FullCommit }}" - "--label=org.opencontainers.image.version={{ .Version }}" - "--label=org.opencontainers.image.source={{ .GitURL }}" @@ -229,7 +229,7 @@ dockers: - "--pull" - "--platform=linux/arm64" - "--label=org.opencontainers.image.created={{ .Date }}" - - "--label=org.opencontainers.image.name={{ .ProjectName }}" + - "--label=org.opencontainers.image.title={{ .ProjectName }}" - "--label=org.opencontainers.image.revision={{ .FullCommit }}" - "--label=org.opencontainers.image.version={{ .Version }}" - "--label=org.opencontainers.image.source={{ .GitURL }}" @@ -328,19 +328,21 @@ release: curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/provenance.intoto.jsonl # Verify the provenance of the artifact - slsa-verifier \ + slsa-verifier verify-artifact \ --provenance-path provenance.intoto.jsonl \ --source-uri github.com/{{ .Env.GITHUB_REPOSITORY }} \ --source-tag {{ .Tag }} ``` ## Container Images + + The `{{ .ProjectName }}` binaries are also available as container images, based on Debian (slim) and Alpine Linux. The Debian-based container images include any dependencies which may be required to make use of certain key services, such as GnuPG, AWS KMS, Azure Key Vault, and Google Cloud KMS. The Alpine-based container images are smaller in size, but do not include these dependencies. These container images are available for the following architectures: `linux/amd64` and `linux/arm64`. ### GitHub Container Registry - - `ghrc.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}` + - `ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}` - `ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-alpine` ### Quay.io @@ -355,7 +357,8 @@ release: ```shell cosign verify ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }} \ --certificate-identity-regexp=https://github.com/{{ .Env.GITHUB_REPOSITORY_OWNER }} \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + -o text ``` ### Verify container image provenance From 0f669f41ffff00e711ba680f8f85033731fb4db5 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 6 Jul 2023 23:21:15 +0200 Subject: [PATCH 037/135] docs: rename `mozilla/sops` -> `getsops/sops` Signed-off-by: Hidde Beydals --- README.rst | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/README.rst b/README.rst index 76c6d71d7..460c83431 100644 --- a/README.rst +++ b/README.rst @@ -17,19 +17,18 @@ Download Stable release ~~~~~~~~~~~~~~ -Binaries and packages of the latest stable release are available at `https://github.com/mozilla/sops/releases `_. +Binaries and packages of the latest stable release are available at `https://github.com/getsops/sops/releases `_. Development branch ~~~~~~~~~~~~~~~~~~ -For the adventurous, unstable features are available in the `develop` branch, which you can install from source: +For the adventurous, unstable features are available in the `main` branch, which you can install from source: .. code:: bash - $ mkdir -p $GOPATH/src/github.com/getsops/sops/v3/ - $ git clone https://github.com/mozilla/sops.git $GOPATH/src/github.com/getsops/sops/v3/ - $ cd $GOPATH/src/github.com/getsops/sops/v3/ - $ git checkout develop - $ make install + $ mkdir -p $GOPATH/src/github.com/getsops/sops/ + $ git clone https://github.com/getsops/sops.git $GOPATH/src/github.com/getsops/sops/ + $ cd $GOPATH/src/github.com/getsops/sops/ + $ make install (requires Go >= 1.18) @@ -97,7 +96,7 @@ Editing will happen in whatever ``$EDITOR`` is set to, or, if it's not set, in v Keep in mind that sops will wait for the editor to exit, and then try to reencrypt the file. Some GUI editors (atom, sublime) spawn a child process and then exit immediately. They usually have an option to wait for the main editor window to be -closed before exiting. See `#127 `_ for +closed before exiting. See `#127 `_ for more information. The resulting encrypted file looks like this: @@ -163,7 +162,7 @@ Test with the dev PGP key If you want to test **sops** without having to do a bunch of setup, you can use the example files and pgp key provided with the repository:: - $ git clone https://github.com/mozilla/sops.git + $ git clone https://github.com/getsops/sops.git $ cd sops $ gpg --import pgp/sops_functional_tests_key.asc $ sops example.yaml @@ -645,7 +644,7 @@ found, the filename of the file being created is compared with the filename regexes of the configuration file. The first regex that matches is selected, and its KMS and PGP keys are used to encrypt the file. It should be noted that the looking up of ``.sops.yaml`` is from the working directory (CWD) instead of -the directory of the encrypting file (see `Issue 242 `_). +the directory of the encrypting file (see `Issue 242 `_). The path_regex checks the path of the encrypting file relative to the .sops.yaml config file. Here is another example: @@ -1235,7 +1234,7 @@ But this one will work just fine: Examples -------- -Take a look into the `examples `_ folder for detailed use cases of sops in a CI environment. The section below describes specific tips for common use cases. +Take a look into the `examples `_ folder for detailed use cases of sops in a CI environment. The section below describes specific tips for common use cases. Creating a new file ~~~~~~~~~~~~~~~~~~~ @@ -1699,7 +1698,7 @@ The original authors were: * Adrian Utrilla @autrilla * Julien Vehent @jvehent -And a whole bunch of `contributors `_ +And a whole bunch of `contributors `_ Credits ------- From 5631d1e568a6efb77b51c7a11439073caba64b4a Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 6 Jul 2023 23:31:05 +0200 Subject: [PATCH 038/135] docs: update contributing guidelines Signed-off-by: Hidde Beydals --- CONTRIBUTING.md | 36 +++++++++++++++++++++--------------- README.rst | 2 +- 2 files changed, 22 insertions(+), 16 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 75897a045..a33b37e77 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,26 +1,32 @@ # Contributing to SOPS -Mozilla welcomes contributions from everyone. Here are a few guidelines and instructions if you're thinking of helping with the development of SOPS. +The SOPS project welcomes contributions from everyone. Here are a few guidelines +and instructions if you are thinking of helping with the development of SOPS. # Getting started -* Make sure you have Go 1.12 or greater installed. You can find information on how to install Go [here](https://golang.org/dl/) -* After following the [Go installation guide](https://golang.org/doc/install), run `go get github.com/getsops/sops/v3`. This will automatically clone this repository. -* Switch into sops's directory, which will be in `$GOPATH/src/github.com/getsops/sops/v3`. -* Run the tests with `make test`. They should all pass. -* Fork the project on GitHub. -* Add your fork to git's remotes: - * If you use SSH authentication: `git remote add git@github.com:/sops.git`. - * Otherwise: `git remote add https://github.com//sops.git`. -* **Switch to the `develop` branch: `git checkout develop`** -* Make any changes you want to sops, commit them, and push them to your fork. -* **Create a pull request against `develop`**, and a contributor will come by and review your code. They may ask for some changes, and hopefully your contribution will be merged to the `develop` branch! +- Make sure you have Go 1.19 or greater installed. You can find information on + how to install Go [here](https://go.dev/doc/install) +- Clone the Git repository and switch into SOPS's directory. +- Run the tests with `make test`. They should all pass. +- Fork the project on GitHub. +- Add your fork to Git's remotes: + + If you use SSH authentication: `git remote add git@github.com:/sops.git`. + + Otherwise: `git remote add https://github.com//sops.git`. +- Make any changes you want to SOPS, commit them, and push them to your fork. +- **Create a pull request against `main`**, and a maintainer will come by and + review your code. They may ask for some changes, and hopefully your + contribution will be merged! # Guidelines -* Unless it's particularly hard, changes that fix a bug should have a regression test to make sure that the bug is not introduced again. -* New features and changes to existing features should be documented, and, if possible, tested. +- Unless it's particularly hard, changes that fix a bug should have a regression + test to make sure that the bug is not introduced again. +- New features and changes to existing features should be documented, and, if + possible, tested. # Communication -If you need any help contributing to sops, several contributors are on the `#go` channel on [Mozilla's IRC server](https://wiki.mozilla.org/IRC). +If you need any help contributing to SOPS, several maintainers are on the +[`#sops-dev` channel](https://cloud-native.slack.com/archives/C059800AJBT) on +the [CNCF Slack](https://slack.cncf.io). diff --git a/README.rst b/README.rst index 460c83431..30e965e4b 100644 --- a/README.rst +++ b/README.rst @@ -30,7 +30,7 @@ For the adventurous, unstable features are available in the `main` branch, which $ cd $GOPATH/src/github.com/getsops/sops/ $ make install -(requires Go >= 1.18) +(requires Go >= 1.19) If you don't have Go installed, set it up with: From 19cf49e8ff2a13e31856e6354f12e533b3fc1280 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Fri, 7 Jul 2023 00:09:17 +0200 Subject: [PATCH 039/135] docs: update authors section in README Signed-off-by: Hidde Beydals --- README.rst | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/README.rst b/README.rst index 30e965e4b..749fb6e39 100644 --- a/README.rst +++ b/README.rst @@ -1689,16 +1689,17 @@ Mozilla Public License Version 2.0 Authors ------- -The core team is composed of: +SOPS was initially launched as a project at Mozilla in 2015 and has been +graciously donated to the CNCF as a Sandbox project in 2023, now under the +stewardship of a `new group of maintainers `_. -* AJ Banhken @ajvb - -The original authors were: +The original authors of the project were: * Adrian Utrilla @autrilla * Julien Vehent @jvehent -And a whole bunch of `contributors `_ +Furthermore, the project has been carried for a long time by AJ Bahnken @ajvb, +and had not been possible without the contributions of numerous `contributors `_. Credits ------- From 29619db577c4e8a27013e914f4a41c193e8bcb42 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Fri, 7 Jul 2023 00:17:20 +0200 Subject: [PATCH 040/135] docs: update security section Signed-off-by: Hidde Beydals --- README.rst | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.rst b/README.rst index 749fb6e39..095fd81a0 100644 --- a/README.rst +++ b/README.rst @@ -1679,8 +1679,7 @@ file format introduced in **1.0**. Security -------- -Please report security issues to security at mozilla dot org, or by using one -of the contact method available here: `https://www.mozilla.org/en-US/security/#For_Developers `_ +Please report any security issues privately using `GitHub's advisory form `_. License ------- From dd200ce56c0ca849ae2640a9b827d388afcfeb42 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Fri, 11 Aug 2023 23:59:29 +0200 Subject: [PATCH 041/135] docs: add CNCF footer Signed-off-by: Hidde Beydals --- README.rst | 8 ++++++++ docs/images/cncf-color-bg.svg | 1 + 2 files changed, 9 insertions(+) create mode 100644 docs/images/cncf-color-bg.svg diff --git a/README.rst b/README.rst index 095fd81a0..94d110523 100644 --- a/README.rst +++ b/README.rst @@ -1708,3 +1708,11 @@ Credits `sneaker `_, `password store `_ and too many years managing PGP encrypted files by hand... + +----- + +.. image:: docs/images/cncf-color-bg.svg + :width: 400 + :alt: CNCF Sandbox Project + +**We are a** `Cloud Native Computing Foundation `_ **sandbox project.** diff --git a/docs/images/cncf-color-bg.svg b/docs/images/cncf-color-bg.svg new file mode 100644 index 000000000..c8d667f37 --- /dev/null +++ b/docs/images/cncf-color-bg.svg @@ -0,0 +1 @@ +cncf-color-bg.svg \ No newline at end of file From 9a58697a6d4ecf465bd02eebb47a7580fc7d0db7 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Sat, 12 Aug 2023 00:35:58 +0200 Subject: [PATCH 042/135] docs: add note to motivation section Signed-off-by: Hidde Beydals --- README.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.rst b/README.rst index 94d110523..4691ef3fb 100644 --- a/README.rst +++ b/README.rst @@ -1523,6 +1523,14 @@ the data key under tree->`sops`->`mac`. Motivation ---------- + 📝 **A note from the maintainers** + + This section was written by the original authors of SOPS while they were + working at Mozilla. It is kept here for historical reasons and to provide + technical background on the project. It is not necessarily representative + of the views of the current maintainers, nor are they currently affiliated + with Mozilla. + Automating the distribution of secrets and credentials to components of an infrastructure is a hard problem. We know how to encrypt secrets and share them between humans, but extending that trust to systems is difficult. Particularly From be49ee0768165613adaad477c0873db4b78c3168 Mon Sep 17 00:00:00 2001 From: Stoned Elipot Date: Sun, 11 Sep 2022 19:52:37 +0200 Subject: [PATCH 043/135] Only report version check when it can be Signed-off-by: Stoned Elipot --- version/version.go | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/version/version.go b/version/version.go index 0527b5255..bd4e4a731 100644 --- a/version/version.go +++ b/version/version.go @@ -26,11 +26,12 @@ func PrintVersion(c *cli.Context) { outdated, err := AIsNewerThanB(upstreamVersion, Version) if err != nil { out += fmt.Sprintf("\n[warning] failed to compare current version with latest: %v\n", err) - } - if outdated { - out += fmt.Sprintf("\n[info] sops %s is available, update with `go get -u github.com/getsops/sops/v3/cmd/sops`\n", upstreamVersion) } else { - out += " (latest)\n" + if outdated { + out += fmt.Sprintf("\n[info] sops %s is available, update with `go get -u github.com/getsops/sops/v3/cmd/sops`\n", upstreamVersion) + } else { + out += " (latest)\n" + } } } fmt.Fprintf(c.App.Writer, "%s", out) From a4fef711dd4aba1506c2349393b7defe7af3414b Mon Sep 17 00:00:00 2001 From: Hamish Robertson Date: Tue, 17 May 2022 13:21:46 +0100 Subject: [PATCH 044/135] Add missing --encrypt flag from Vault example --- README.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.rst b/README.rst index 4691ef3fb..c4c5d1754 100644 --- a/README.rst +++ b/README.rst @@ -358,7 +358,7 @@ To easily deploy Vault locally: (DO NOT DO THIS FOR PRODUCTION!!!) $ vault write sops/keys/thirdkey type=chacha20-poly1305 Success! Data written to: sops/keys/thirdkey - $ sops --hc-vault-transit $VAULT_ADDR/v1/sops/keys/firstkey vault_example.yml + $ sops --encrypt --hc-vault-transit $VAULT_ADDR/v1/sops/keys/firstkey vault_example.yml $ cat < .sops.yaml creation_rules: From 4f8267a3d84989e92d037566bb09a4b14609ee6f Mon Sep 17 00:00:00 2001 From: Vincent Behar Date: Fri, 2 Jul 2021 14:42:07 +0200 Subject: [PATCH 045/135] fix: `set` feature when adding a new root hierarchy fixes #407 with this fix, when adding a new root hierarchy, the existing root entries won't be dropped anymore Signed-off-by: Vincent Behar --- sops.go | 7 ++++--- sops_test.go | 30 ++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 3 deletions(-) diff --git a/sops.go b/sops.go index 28aed98a4..daebb2352 100644 --- a/sops.go +++ b/sops.go @@ -155,10 +155,11 @@ func set(branch interface{}, path []interface{}, value interface{}) interface{} } } // Not found, need to add the next path entry to the branch - if len(path) == 1 { - return append(branch, TreeItem{Key: path[0], Value: value}) + value := valueFromPathAndLeaf(path, value) + if newBranch, ok := value.(TreeBranch); ok && len(newBranch) > 0 { + return append(branch, newBranch[0]) } - return valueFromPathAndLeaf(path, value) + return branch case []interface{}: position := path[0].(int) if len(path) == 1 { diff --git a/sops_test.go b/sops_test.go index 1386bbcc6..549de80bf 100644 --- a/sops_test.go +++ b/sops_test.go @@ -577,6 +577,36 @@ func TestSetNewKey(t *testing.T) { assert.Equal(t, "hello", set[0].Value.(TreeBranch)[0].Value.(TreeBranch)[1].Value) } +func TestSetNewBranch(t *testing.T) { + branch := TreeBranch{ + TreeItem{ + Key: "key", + Value: "value", + }, + } + set := branch.Set([]interface{}{"foo", "bar", "baz"}, "hello") + assert.Equal(t, TreeBranch{ + TreeItem{ + Key: "key", + Value: "value", + }, + TreeItem{ + Key: "foo", + Value: TreeBranch{ + TreeItem{ + Key: "bar", + Value: TreeBranch{ + TreeItem{ + Key: "baz", + Value: "hello", + }, + }, + }, + }, + }, + }, set) +} + func TestSetArrayDeepNew(t *testing.T) { branch := TreeBranch{ TreeItem{ From 1099803609cb14d288143aa48907a129a9920237 Mon Sep 17 00:00:00 2001 From: Jason Banich Date: Fri, 15 Nov 2019 14:06:52 -0800 Subject: [PATCH 046/135] Sort sops parameters in dotenv file --- stores/dotenv/store.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/stores/dotenv/store.go b/stores/dotenv/store.go index dedf8817c..41124ab0f 100644 --- a/stores/dotenv/store.go +++ b/stores/dotenv/store.go @@ -4,6 +4,7 @@ import ( "bytes" "encoding/json" "fmt" + "sort" "strings" "github.com/getsops/sops/v3" @@ -98,7 +99,14 @@ func (store *Store) EmitEncryptedFile(in sops.Tree) ([]byte, error) { if err != nil { return nil, err } - for key, value := range mdItems { + var keys []string + for k := range mdItems { + keys = append(keys, k) + } + sort.Strings(keys) + + for _, key := range keys { + var value = mdItems[key] if value == nil { continue } From ea5502b4d63d363d3be54aebcdc4c7eeb9b3b96e Mon Sep 17 00:00:00 2001 From: Andraz Bajt Date: Thu, 4 Aug 2022 09:34:58 +0200 Subject: [PATCH 047/135] Add a test for dotenv output ordering Signed-off-by: Andraz Bajt --- stores/dotenv/store_test.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/stores/dotenv/store_test.go b/stores/dotenv/store_test.go index 163ddb022..dc0c2d1de 100644 --- a/stores/dotenv/store_test.go +++ b/stores/dotenv/store_test.go @@ -63,3 +63,20 @@ func TestEmitValueNonstring(t *testing.T) { _, err := (&Store{}).EmitValue(BRANCH) assert.NotNil(t, err) } + +func TestEmitEncryptedFileStability(t *testing.T) { + // emit the same tree multiple times to ensure the output is stable + // i.e. emitting the same tree always yields exactly the same output + var previous []byte + for i := 0; i < 10; i += 1 { + bytes, err := (&Store{}).EmitEncryptedFile(sops.Tree{ + Branches: []sops.TreeBranch{{}}, + }) + assert.Nil(t, err) + assert.NotEmpty(t, bytes) + if previous != nil { + assert.Equal(t, previous, bytes) + } + previous = bytes + } +} From 4f71b76e6b946a0b2c93b1d7464491b3f6543275 Mon Sep 17 00:00:00 2001 From: Henning Ramberger Date: Sat, 1 Apr 2023 15:15:49 +0000 Subject: [PATCH 048/135] Add documentation on how to use age in.sops.yaml Co-authored-by: Hidde Beydals Signed-off-by: Henning Ramberger --- README.rst | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/README.rst b/README.rst index c4c5d1754..45abff539 100644 --- a/README.rst +++ b/README.rst @@ -594,19 +594,19 @@ KMS and PGP master keys defined in the file. sops -r example.yaml -Using .sops.yaml conf to select KMS/PGP for new files +Using .sops.yaml conf to select KMS, PGP and age for new files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -It is often tedious to specify the ``--kms`` ``--gcp-kms`` and ``--pgp`` parameters for creation +It is often tedious to specify the ``--kms`` ``--gcp-kms`` ``--pgp`` and ``--age`` parameters for creation of all new files. If your secrets are stored under a specific directory, like a ``git`` repository, you can create a ``.sops.yaml`` configuration file at the root directory to define which keys are used for which filename. Let's take an example: -* file named **something.dev.yaml** should use one set of KMS A -* file named **something.prod.yaml** should use another set of KMS B -* other files use a third set of KMS C +* file named **something.dev.yaml** should use one set of KMS A, PGP and age +* file named **something.prod.yaml** should use another set of KMS B, PGP and age +* other files use a third set of KMS C and PGP * all live under **mysecretrepo/something.{dev,prod,gcp}.yaml** Under those circumstances, a file placed at **mysecretrepo/.sops.yaml** @@ -617,15 +617,17 @@ can manage the three sets of configurations for the three types of files: # creation rules are evaluated sequentially, the first match wins creation_rules: # upon creation of a file that matches the pattern *.dev.yaml, - # KMS set A is used + # KMS set A as well as PGP and age is used - path_regex: \.dev\.yaml$ kms: 'arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500,arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod' pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4' + age: 'age129h70qwx39k7h5x6l9hg566nwm53527zvamre8vep9e3plsm44uqgy8gla' - # prod files use KMS set B in the PROD IAM + # prod files use KMS set B in the PROD IAM, PGP and age - path_regex: \.prod\.yaml$ kms: 'arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod,arn:aws:kms:eu-central-1:361527076523:key/cb1fab90-8d17-42a1-a9d8-334968904f94+arn:aws:iam::361527076523:role/hiera-sops-prod' pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4' + age: 'age129h70qwx39k7h5x6l9hg566nwm53527zvamre8vep9e3plsm44uqgy8gla' hc_vault_uris: "http://localhost:8200/v1/sops/keys/thirdkey" # gcp files using GCP KMS @@ -633,7 +635,7 @@ can manage the three sets of configurations for the three types of files: gcp_kms: projects/mygcproject/locations/global/keyRings/mykeyring/cryptoKeys/thekey # Finally, if the rules above have not matched, this one is a - # catchall that will encrypt the file using KMS set C + # catchall that will encrypt the file using KMS set C as well as PGP # The absence of a path_regex means it will match everything - kms: 'arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500,arn:aws:kms:us-west-2:142069644989:key/846cfb17-373d-49b9-8baf-f36b04512e47,arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e' pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4' From d6579e8f34458ad3f8a1f93ca7afb8d63b2901c9 Mon Sep 17 00:00:00 2001 From: Brian Kemper Date: Wed, 16 Aug 2023 14:28:22 -0600 Subject: [PATCH 049/135] Clean up more Mozilla references Signed-off-by: Brian Kemper --- go.mod | 2 +- go.sum | 4 ++-- pgp/keysource.go | 2 +- version/version.go | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 4ddad8b24..77e8f7228 100644 --- a/go.mod +++ b/go.mod @@ -19,6 +19,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/sts v1.21.2 github.com/blang/semver v3.5.1+incompatible github.com/fatih/color v1.15.0 + github.com/getsops/gopgagent v0.0.0-20170926210634-4d7ea76ff71a github.com/golang/protobuf v1.5.3 github.com/google/go-cmp v0.5.9 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 @@ -32,7 +33,6 @@ require ( github.com/sirupsen/logrus v1.9.3 github.com/stretchr/testify v1.8.4 github.com/urfave/cli v1.22.14 - go.mozilla.org/gopgagent v0.0.0-20170926210634-4d7ea76ff71a golang.org/x/crypto v0.12.0 golang.org/x/net v0.14.0 golang.org/x/sys v0.11.0 diff --git a/go.sum b/go.sum index 2bced74f6..98c3480e8 100644 --- a/go.sum +++ b/go.sum @@ -133,6 +133,8 @@ github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYF github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs= github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw= github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= +github.com/getsops/gopgagent v0.0.0-20170926210634-4d7ea76ff71a h1:qc+7TV35Pq/FlgqECyS5ywq8cSN9j1fwZg6uyZ7G0B0= +github.com/getsops/gopgagent v0.0.0-20170926210634-4d7ea76ff71a/go.mod h1:awFzISqLJoZLm+i9QQ4SgMNHDqljH6jWV0B36V5MrUM= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo= github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= @@ -321,8 +323,6 @@ github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= -go.mozilla.org/gopgagent v0.0.0-20170926210634-4d7ea76ff71a h1:N7VD+PwpJME2ZfQT8+ejxwA4Ow10IkGbU0MGf94ll8k= -go.mozilla.org/gopgagent v0.0.0-20170926210634-4d7ea76ff71a/go.mod h1:YDKUvO0b//78PaaEro6CAPH6NqohCmL2Cwju5XI2HoE= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= diff --git a/pgp/keysource.go b/pgp/keysource.go index 10f582da8..c8e16fa7d 100644 --- a/pgp/keysource.go +++ b/pgp/keysource.go @@ -21,7 +21,7 @@ import ( "github.com/ProtonMail/go-crypto/openpgp" "github.com/ProtonMail/go-crypto/openpgp/armor" "github.com/sirupsen/logrus" - gpgagent "go.mozilla.org/gopgagent" + gpgagent "github.com/getsops/gopgagent" "github.com/getsops/sops/v3/logging" "golang.org/x/term" ) diff --git a/version/version.go b/version/version.go index bd4e4a731..095433130 100644 --- a/version/version.go +++ b/version/version.go @@ -63,7 +63,7 @@ func AIsNewerThanB(A, B string) (bool, error) { // RetrieveLatestVersionFromUpstream gets the latest version from the source code at Github func RetrieveLatestVersionFromUpstream() (string, error) { - resp, err := http.Get("https://raw.githubusercontent.com/mozilla/sops/master/version/version.go") + resp, err := http.Get("https://raw.githubusercontent.com/getsops/sops/master/version/version.go") if err != nil { return "", err } From a46df07f6ea7fd08d9bff4dd5aa51ca1a4f65e5a Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Sat, 12 Aug 2023 01:51:24 +0200 Subject: [PATCH 050/135] build: actually run `go vet` for whole project Signed-off-by: Hidde Beydals --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 334bdcff8..61a46212a 100644 --- a/Makefile +++ b/Makefile @@ -33,7 +33,7 @@ vendor: $(GO) mod vendor vet: - $(GO) vet $(PROJECT) + $(GO) vet ./... .PHONY: test test: vendor From 0b495cba7debc781a7111eacd251cc1db6689fe7 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Sat, 12 Aug 2023 01:54:34 +0200 Subject: [PATCH 051/135] *: solve `go vet` errors ``` stores/dotenv/store.go:74:12: github.com/getsops/sops/v3.Comment struct literal uses unkeyed fields stores/dotenv/store_test.go:29:10: github.com/getsops/sops/v3.Comment struct literal uses unkeyed fields keyservice/server.go:149:9: assignment copies lock value to key: github.com/getsops/sops/v3/keyservice.Key contains google.golang.org/protobuf/internal/impl.MessageState contains sync.Mutex keyservice/server.go:206:20: call of ks.prompt copies lock value: github.com/getsops/sops/v3/keyservice.Key contains google.golang.org/protobuf/internal/impl.MessageState contains sync.Mutex keyservice/server.go:214:22: keyToString passes lock by value: github.com/getsops/sops/v3/keyservice.Key contains google.golang.org/protobuf/internal/impl.MessageState contains sync.Mutex keyservice/server.go:231:29: prompt passes lock by value: github.com/getsops/sops/v3/keyservice.Key contains google.golang.org/protobuf/internal/impl.MessageState contains sync.Mutex keyservice/server.go:232:27: call of keyToString copies lock value: github.com/getsops/sops/v3/keyservice.Key contains google.golang.org/protobuf/internal/impl.MessageState contains sync.Mutex keyservice/server.go:251:9: assignment copies lock value to key: github.com/getsops/sops/v3/keyservice.Key contains google.golang.org/protobuf/internal/impl.MessageState contains sync.Mutex keyservice/server.go:308:20: call of ks.prompt copies lock value: github.com/getsops/sops/v3/keyservice.Key contains google.golang.org/protobuf/internal/impl.MessageState contains sync.Mutex stores/yaml/store_test.go:27:11: github.com/getsops/sops/v3.Comment struct literal uses unkeyed fields stores/yaml/store_test.go:39:11: github.com/getsops/sops/v3.Comment struct literal uses unkeyed fields stores/yaml/store_test.go:107:5: github.com/getsops/sops/v3.Comment struct literal uses unkeyed fields stores/yaml/store_test.go:139:13: github.com/getsops/sops/v3.Comment struct literal uses unkeyed fields decrypt/example_test.go:34:1: ExampleDecryptFile refers to unknown identifier: DecryptFile ``` Signed-off-by: Hidde Beydals --- decrypt/example_test.go | 2 +- keyservice/server.go | 8 ++++---- stores/dotenv/store.go | 2 +- stores/dotenv/store_test.go | 4 ++-- stores/yaml/store_test.go | 18 +++++++++--------- 5 files changed, 17 insertions(+), 17 deletions(-) diff --git a/decrypt/example_test.go b/decrypt/example_test.go index 0ccdc87aa..dcdd33211 100644 --- a/decrypt/example_test.go +++ b/decrypt/example_test.go @@ -31,7 +31,7 @@ type configuration struct { AnEmptyValue string `json:"anEmptyValue"` } -func ExampleDecryptFile() { +func ExampleFile() { var ( confPath string = "./example.json" cfg configuration diff --git a/keyservice/server.go b/keyservice/server.go index 82c1a4855..480a66e8b 100644 --- a/keyservice/server.go +++ b/keyservice/server.go @@ -146,7 +146,7 @@ func (ks *Server) decryptWithAge(key *AgeKey, ciphertext []byte) ([]byte, error) // result func (ks Server) Encrypt(ctx context.Context, req *EncryptRequest) (*EncryptResponse, error) { - key := *req.Key + key := req.Key var response *EncryptResponse switch k := key.KeyType.(type) { case *Key_PgpKey: @@ -211,7 +211,7 @@ func (ks Server) Encrypt(ctx context.Context, return response, nil } -func keyToString(key Key) string { +func keyToString(key *Key) string { switch k := key.KeyType.(type) { case *Key_PgpKey: return fmt.Sprintf("PGP key with fingerprint %s", k.PgpKey.Fingerprint) @@ -228,7 +228,7 @@ func keyToString(key Key) string { } } -func (ks Server) prompt(key Key, requestType string) error { +func (ks Server) prompt(key *Key, requestType string) error { keyString := keyToString(key) var response string for response != "y" && response != "n" { @@ -248,7 +248,7 @@ func (ks Server) prompt(key Key, requestType string) error { // result func (ks Server) Decrypt(ctx context.Context, req *DecryptRequest) (*DecryptResponse, error) { - key := *req.Key + key := req.Key var response *DecryptResponse switch k := key.KeyType.(type) { case *Key_PgpKey: diff --git a/stores/dotenv/store.go b/stores/dotenv/store.go index 41124ab0f..fad0f3494 100644 --- a/stores/dotenv/store.go +++ b/stores/dotenv/store.go @@ -72,7 +72,7 @@ func (store *Store) LoadPlainFile(in []byte) (sops.TreeBranches, error) { } if line[0] == '#' { branch = append(branch, sops.TreeItem{ - Key: sops.Comment{string(line[1:])}, + Key: sops.Comment{Value: string(line[1:])}, Value: nil, }) } else { diff --git a/stores/dotenv/store_test.go b/stores/dotenv/store_test.go index dc0c2d1de..c234d4ea5 100644 --- a/stores/dotenv/store_test.go +++ b/stores/dotenv/store_test.go @@ -4,8 +4,8 @@ import ( "strings" "testing" - "github.com/stretchr/testify/assert" "github.com/getsops/sops/v3" + "github.com/stretchr/testify/assert" ) var PLAIN = []byte(strings.TrimLeft(` @@ -26,7 +26,7 @@ var BRANCH = sops.TreeBranch{ Value: "val2", }, sops.TreeItem{ - Key: sops.Comment{"comment"}, + Key: sops.Comment{Value: "comment"}, Value: nil, }, sops.TreeItem{ diff --git a/stores/yaml/store_test.go b/stores/yaml/store_test.go index bf0e1bfaa..f37e3deb4 100644 --- a/stores/yaml/store_test.go +++ b/stores/yaml/store_test.go @@ -3,8 +3,8 @@ package yaml import ( "testing" - "github.com/stretchr/testify/assert" "github.com/getsops/sops/v3" + "github.com/stretchr/testify/assert" ) var PLAIN = []byte(`--- @@ -24,7 +24,7 @@ key1_a: value var BRANCHES = sops.TreeBranches{ sops.TreeBranch{ sops.TreeItem{ - Key: sops.Comment{" comment 0"}, + Key: sops.Comment{Value: " comment 0"}, Value: nil, }, sops.TreeItem{ @@ -36,7 +36,7 @@ var BRANCHES = sops.TreeBranches{ Value: "value", }, sops.TreeItem{ - Key: sops.Comment{" ^ comment 1"}, + Key: sops.Comment{Value: " ^ comment 1"}, Value: nil, }, }, @@ -101,10 +101,10 @@ var COMMENT_6 = []byte(`a: var COMMENT_6_BRANCHES = sops.TreeBranches{ sops.TreeBranch{ sops.TreeItem{ - Key: "a", + Key: "a", Value: []interface{}{ "a", - sops.Comment{" I no longer get duplicated"}, + sops.Comment{Value: " I no longer get duplicated"}, sops.TreeBranch{}, }, }, @@ -124,10 +124,10 @@ e: var COMMENT_7_BRANCHES = sops.TreeBranches{ sops.TreeBranch{ sops.TreeItem{ - Key: "a", + Key: "a", Value: sops.TreeBranch{ sops.TreeItem{ - Key: "b", + Key: "b", Value: sops.TreeBranch{ sops.TreeItem{ Key: "c", @@ -136,13 +136,13 @@ var COMMENT_7_BRANCHES = sops.TreeBranches{ }, }, sops.TreeItem{ - Key: sops.Comment{" comment"}, + Key: sops.Comment{Value: " comment"}, Value: nil, }, }, }, sops.TreeItem{ - Key: "e", + Key: "e", Value: []interface{}{ "f", }, From 496705c08457fe4c3e28c8fa1d5fdd57a4f2f4eb Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Mon, 14 Aug 2023 23:11:19 +0200 Subject: [PATCH 052/135] build: replace `golint` with `staticcheck` As it has been deprecated for about ~2 years in favor of `go vet` and tools like `staticcheck`. Signed-off-by: Hidde Beydals --- Makefile | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/Makefile b/Makefile index 61a46212a..5dc0a574f 100644 --- a/Makefile +++ b/Makefile @@ -2,15 +2,17 @@ # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. -PROJECT := github.com/getsops/sops/v3 -PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST)))) -GO := GOPROXY=https://proxy.golang.org go -GOLINT := golint +PROJECT := github.com/getsops/sops/v3 +PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST)))) +GO := GOPROXY=https://proxy.golang.org go -GITHUB_REPOSITORY ?= github.com/getsops/sops +GITHUB_REPOSITORY ?= github.com/getsops/sops -GORELEASER := $(PROJECT_DIR)/bin/goreleaser -GORELEASER_VERSION ?= v1.20.0 +STATICCHECK := $(PROJECT_DIR)/bin/staticcheck +STATICCHECK_VERSION := latest + +GORELEASER := $(PROJECT_DIR)/bin/goreleaser +GORELEASER_VERSION ?= v1.20.0 .PHONY: all all: test vet generate install functional-tests @@ -24,8 +26,9 @@ install: tag: all git tag -s $(TAGVER) -a -m "$(TAGMSG)" -lint: - $(GOLINT) $(PROJECT) +.PHONY: staticcheck +staticcheck: install-staticcheck + $(STATICCHECK) ./... .PHONY: vendor vendor: @@ -66,6 +69,10 @@ functional-tests-all: release-snapshot: install-goreleaser GITHUB_REPOSITORY=$(GITHUB_REPOSITORY) $(GORELEASER) release --clean --snapshot --skip-sign +.PHONY: install-staticcheck +install-staticcheck: + $(call go-install-tool,$(STATICCHECK),honnef.co/go/tools/cmd/staticcheck@$(STATICCHECK_VERSION),$(STATICCHECK_VERSION)) + .PHONY: install-goreleaser install-goreleaser: $(call go-install-tool,$(GORELEASER),github.com/goreleaser/goreleaser@$(GORELEASER_VERSION),$(GORELEASER_VERSION)) From a356b373e89ca34a099a62a12261962a1d4bb1d5 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Mon, 14 Aug 2023 23:35:54 +0200 Subject: [PATCH 053/135] *: address various simple `staticcheck` warnings Deprecation of `io/ioutil`, removal of unused functions, possible nil pointer dereference, and other tiny nits. There are (many) more, but these would require their own (commit) context. Signed-off-by: Hidde Beydals --- audit/audit.go | 8 ++++---- cmd/sops/common/common.go | 11 +++++------ cmd/sops/edit.go | 22 +++++++++------------- cmd/sops/encrypt.go | 9 ++++----- cmd/sops/subcommand/exec/exec.go | 5 ++--- cmd/sops/subcommand/publish/publish.go | 11 ++--------- config/config.go | 7 +++---- decrypt/decrypt.go | 4 ++-- go.mod | 2 +- keyservice/server.go | 2 +- pgp/keysource.go | 8 ++++---- pgp/keysource_test.go | 2 +- stores/yaml/store.go | 20 ++++++++++---------- usererrors.go | 10 +++++----- 14 files changed, 53 insertions(+), 68 deletions(-) diff --git a/audit/audit.go b/audit/audit.go index 035783e4e..1bbfde1cd 100644 --- a/audit/audit.go +++ b/audit/audit.go @@ -4,7 +4,7 @@ import ( "database/sql" "flag" "fmt" - "io/ioutil" + "os" "os/user" "github.com/pkg/errors" @@ -12,16 +12,16 @@ import ( // empty import as per https://godoc.org/github.com/lib/pq _ "github.com/lib/pq" - "gopkg.in/yaml.v3" - "github.com/sirupsen/logrus" "github.com/getsops/sops/v3/logging" + "github.com/sirupsen/logrus" + "gopkg.in/yaml.v3" ) var log *logrus.Logger func init() { log = logging.NewLogger("AUDIT") - confBytes, err := ioutil.ReadFile(configFile) + confBytes, err := os.ReadFile(configFile) if err != nil { log.WithField("error", err).Debugf("Error reading config") return diff --git a/cmd/sops/common/common.go b/cmd/sops/common/common.go index b675195bc..907125d28 100644 --- a/cmd/sops/common/common.go +++ b/cmd/sops/common/common.go @@ -2,14 +2,11 @@ package common import ( "fmt" - "io/ioutil" "os" "path/filepath" "time" "github.com/fatih/color" - wordwrap "github.com/mitchellh/go-wordwrap" - "github.com/urfave/cli" "github.com/getsops/sops/v3" "github.com/getsops/sops/v3/cmd/sops/codes" . "github.com/getsops/sops/v3/cmd/sops/formats" @@ -21,7 +18,9 @@ import ( "github.com/getsops/sops/v3/stores/json" "github.com/getsops/sops/v3/stores/yaml" "github.com/getsops/sops/v3/version" - "golang.org/x/crypto/ssh/terminal" + "github.com/mitchellh/go-wordwrap" + "github.com/urfave/cli" + "golang.org/x/term" ) // ExampleFileEmitter emits example files. This is used by the `sops` binary @@ -127,7 +126,7 @@ func EncryptTree(opts EncryptTreeOpts) error { // LoadEncryptedFile loads an encrypted SOPS file, returning a SOPS tree func LoadEncryptedFile(loader sops.EncryptedFileLoader, inputPath string) (*sops.Tree, error) { - fileBytes, err := ioutil.ReadFile(inputPath) + fileBytes, err := os.ReadFile(inputPath) if err != nil { return nil, NewExitError(fmt.Sprintf("Error reading file: %s", err), codes.CouldNotReadInputFile) } @@ -262,7 +261,7 @@ func FixAWSKMSEncryptionContextBug(opts GenericDecryptOpts, tree *sops.Tree) (*s persistFix := false - if terminal.IsTerminal(int(os.Stdout.Fd())) { + if term.IsTerminal(int(os.Stdout.Fd())) { var response string for response != "y" && response != "n" { fmt.Println("Would you like sops to automatically fix this issue? (y/n): ") diff --git a/cmd/sops/edit.go b/cmd/sops/edit.go index e72d8fb23..730d99214 100644 --- a/cmd/sops/edit.go +++ b/cmd/sops/edit.go @@ -1,26 +1,22 @@ package main import ( - "fmt" - "io/ioutil" - "os" - - "crypto/md5" - exec "golang.org/x/sys/execabs" - "io" - "strings" - "bufio" "bytes" - + "crypto/md5" + "fmt" + "io" + "os" "path/filepath" + "strings" - "github.com/google/shlex" "github.com/getsops/sops/v3" "github.com/getsops/sops/v3/cmd/sops/codes" "github.com/getsops/sops/v3/cmd/sops/common" "github.com/getsops/sops/v3/keyservice" "github.com/getsops/sops/v3/version" + "github.com/google/shlex" + exec "golang.org/x/sys/execabs" ) type editOpts struct { @@ -109,7 +105,7 @@ func edit(opts editOpts) ([]byte, error) { func editTree(opts editOpts, tree *sops.Tree, dataKey []byte) ([]byte, error) { // Create temporary file for editing - tmpdir, err := ioutil.TempDir("", "") + tmpdir, err := os.MkdirTemp("", "") if err != nil { return nil, common.NewExitError(fmt.Sprintf("Could not create temporary directory: %s", err), codes.CouldNotWriteOutputFile) } @@ -181,7 +177,7 @@ func runEditorUntilOk(opts runEditorUntilOkOpts) error { if bytes.Equal(newHash, opts.OriginalHash) { return common.NewExitError("File has not changed, exiting.", codes.FileHasNotBeenModified) } - edited, err := ioutil.ReadFile(opts.TmpFile.Name()) + edited, err := os.ReadFile(opts.TmpFile.Name()) if err != nil { return common.NewExitError(fmt.Sprintf("Could not read edited file: %s", err), codes.CouldNotReadInputFile) } diff --git a/cmd/sops/encrypt.go b/cmd/sops/encrypt.go index 195833ae6..cfb16ab18 100644 --- a/cmd/sops/encrypt.go +++ b/cmd/sops/encrypt.go @@ -1,17 +1,16 @@ package main import ( - "io/ioutil" - "path/filepath" - "fmt" + "os" + "path/filepath" - wordwrap "github.com/mitchellh/go-wordwrap" "github.com/getsops/sops/v3" "github.com/getsops/sops/v3/cmd/sops/codes" "github.com/getsops/sops/v3/cmd/sops/common" "github.com/getsops/sops/v3/keyservice" "github.com/getsops/sops/v3/version" + "github.com/mitchellh/go-wordwrap" ) type encryptOpts struct { @@ -57,7 +56,7 @@ func ensureNoMetadata(opts encryptOpts, branch sops.TreeBranch) error { func encrypt(opts encryptOpts) (encryptedFile []byte, err error) { // Load the file - fileBytes, err := ioutil.ReadFile(opts.InputPath) + fileBytes, err := os.ReadFile(opts.InputPath) if err != nil { return nil, common.NewExitError(fmt.Sprintf("Error reading file: %s", err), codes.CouldNotReadInputFile) } diff --git a/cmd/sops/subcommand/exec/exec.go b/cmd/sops/subcommand/exec/exec.go index 720b2431d..c32739f20 100644 --- a/cmd/sops/subcommand/exec/exec.go +++ b/cmd/sops/subcommand/exec/exec.go @@ -2,7 +2,6 @@ package exec import ( "bytes" - "io/ioutil" "os" "runtime" "strings" @@ -28,7 +27,7 @@ type ExecOpts struct { } func GetFile(dir, filename string) *os.File { - handle, err := ioutil.TempFile(dir, filename) + handle, err := os.CreateTemp(dir, filename) if err != nil { log.Fatal(err) } @@ -45,7 +44,7 @@ func ExecWithFile(opts ExecOpts) error { opts.Fifo = false } - dir, err := ioutil.TempDir("", ".sops") + dir, err := os.MkdirTemp("", ".sops") if err != nil { log.Fatal(err) } diff --git a/cmd/sops/subcommand/publish/publish.go b/cmd/sops/subcommand/publish/publish.go index ee0dd27ae..dcaf0f31e 100644 --- a/cmd/sops/subcommand/publish/publish.go +++ b/cmd/sops/subcommand/publish/publish.go @@ -3,7 +3,7 @@ package publish import ( "errors" "fmt" - "io/ioutil" + "os" "path/filepath" "strings" @@ -130,7 +130,7 @@ func Run(opts Opts) error { return common.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), codes.ErrorDumpingTree) } } else { - fileContents, err = ioutil.ReadFile(path) + fileContents, err = os.ReadFile(path) if err != nil { return fmt.Errorf("could not read file: %s", err) } @@ -184,10 +184,3 @@ func Run(opts Opts) error { return nil } - -func min(a, b int) int { - if a < b { - return a - } - return b -} diff --git a/config/config.go b/config/config.go index a96593068..311604634 100644 --- a/config/config.go +++ b/config/config.go @@ -5,14 +5,12 @@ package config //import "github.com/getsops/sops/v3/config" import ( "fmt" - "io/ioutil" "os" "path" "path/filepath" "regexp" "strings" - "github.com/sirupsen/logrus" "github.com/getsops/sops/v3" "github.com/getsops/sops/v3/age" "github.com/getsops/sops/v3/azkv" @@ -22,6 +20,7 @@ import ( "github.com/getsops/sops/v3/logging" "github.com/getsops/sops/v3/pgp" "github.com/getsops/sops/v3/publish" + "github.com/sirupsen/logrus" "gopkg.in/yaml.v3" ) @@ -223,7 +222,7 @@ func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[ } func loadConfigFile(confPath string) (*configFile, error) { - confBytes, err := ioutil.ReadFile(confPath) + confBytes, err := os.ReadFile(confPath) if err != nil { return nil, fmt.Errorf("could not read config file: %s", err) } @@ -329,7 +328,7 @@ func parseCreationRuleForFile(conf *configFile, confPath, filePath string, kmsEn } // compare file path relative to path of config file - filePath = strings.TrimPrefix(filePath, configDir + string(filepath.Separator)) + filePath = strings.TrimPrefix(filePath, configDir+string(filepath.Separator)) var rule *creationRule diff --git a/decrypt/decrypt.go b/decrypt/decrypt.go index 506132894..874f59e9a 100644 --- a/decrypt/decrypt.go +++ b/decrypt/decrypt.go @@ -6,7 +6,7 @@ package decrypt // import "github.com/getsops/sops/v3/decrypt" import ( "fmt" - "io/ioutil" + "os" "time" "github.com/getsops/sops/v3/aes" @@ -18,7 +18,7 @@ import ( // file and returns its cleartext data in an []byte func File(path, format string) (cleartext []byte, err error) { // Read the file into an []byte - encryptedData, err := ioutil.ReadFile(path) + encryptedData, err := os.ReadFile(path) if err != nil { return nil, fmt.Errorf("Failed to read %q: %w", path, err) } diff --git a/go.mod b/go.mod index 77e8f7228..fb0fbb92b 100644 --- a/go.mod +++ b/go.mod @@ -33,7 +33,6 @@ require ( github.com/sirupsen/logrus v1.9.3 github.com/stretchr/testify v1.8.4 github.com/urfave/cli v1.22.14 - golang.org/x/crypto v0.12.0 golang.org/x/net v0.14.0 golang.org/x/sys v0.11.0 golang.org/x/term v0.11.0 @@ -117,6 +116,7 @@ require ( github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect go.opencensus.io v0.24.0 // indirect + golang.org/x/crypto v0.12.0 // indirect golang.org/x/mod v0.9.0 // indirect golang.org/x/oauth2 v0.11.0 // indirect golang.org/x/sync v0.3.0 // indirect diff --git a/keyservice/server.go b/keyservice/server.go index 480a66e8b..85829621a 100644 --- a/keyservice/server.go +++ b/keyservice/server.go @@ -224,7 +224,7 @@ func keyToString(key *Key) string { case *Key_VaultKey: return fmt.Sprintf("Hashicorp Vault key with URI %s/v1/%s/keys/%s", k.VaultKey.VaultAddress, k.VaultKey.EnginePath, k.VaultKey.KeyName) default: - return fmt.Sprintf("Unknown key type") + return "Unknown key type" } } diff --git a/pgp/keysource.go b/pgp/keysource.go index c8e16fa7d..6bbc33d86 100644 --- a/pgp/keysource.go +++ b/pgp/keysource.go @@ -20,9 +20,9 @@ import ( "github.com/ProtonMail/go-crypto/openpgp" "github.com/ProtonMail/go-crypto/openpgp/armor" + "github.com/getsops/sops/v3/logging" "github.com/sirupsen/logrus" gpgagent "github.com/getsops/gopgagent" - "github.com/getsops/sops/v3/logging" "golang.org/x/term" ) @@ -49,8 +49,8 @@ var ( // log is the global logger for any PGP MasterKey. // TODO(hidde): this is not-so-nice for any implementation other than the CLI, -// as it becomes difficult to sugar the logger with data for e.g. individual -// processes. +// as it becomes difficult to sugar the logger with data for e.g. individual +// processes. var log *logrus.Logger func init() { @@ -588,8 +588,8 @@ func loadRing(path string) (openpgp.EntityList, error) { func fingerprintIndex(ring openpgp.EntityList) map[string]openpgp.Entity { fps := make(map[string]openpgp.Entity) for _, entity := range ring { - fp := strings.ToUpper(hex.EncodeToString(entity.PrimaryKey.Fingerprint[:])) if entity != nil { + fp := strings.ToUpper(hex.EncodeToString(entity.PrimaryKey.Fingerprint[:])) fps[fp] = *entity } } diff --git a/pgp/keysource_test.go b/pgp/keysource_test.go index 093e14216..1c7c436b4 100644 --- a/pgp/keysource_test.go +++ b/pgp/keysource_test.go @@ -689,7 +689,7 @@ func Test_shortenFingerprint(t *testing.T) { func TestPGP(t *testing.T) { key := NewMasterKeyFromFingerprint("FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4") f := func(x []byte) bool { - if x == nil || len(x) == 0 { + if len(x) == 0 { return true } if err := key.Encrypt(x); err != nil { diff --git a/stores/yaml/store.go b/stores/yaml/store.go index 4782428b6..1481dff8f 100644 --- a/stores/yaml/store.go +++ b/stores/yaml/store.go @@ -6,9 +6,9 @@ import ( "io" "strings" - "gopkg.in/yaml.v3" "github.com/getsops/sops/v3" "github.com/getsops/sops/v3/stores" + "gopkg.in/yaml.v3" ) // Store handles storage of YAML data @@ -76,7 +76,7 @@ func (store Store) nodeToTreeValue(node *yaml.Node, commentsWereHandled bool) (i node.Decode(&result) return result, nil case yaml.AliasNode: - return store.nodeToTreeValue(node.Alias, false); + return store.nodeToTreeValue(node.Alias, false) } return nil, nil } @@ -100,7 +100,7 @@ func (store Store) appendYamlNodeToTreeBranch(node *yaml.Node, branch sops.TreeB case yaml.MappingNode: for i := 0; i < len(node.Content); i += 2 { key := node.Content[i] - value := node.Content[i + 1] + value := node.Content[i+1] branch = store.appendCommentToMap(key.HeadComment, branch) branch = store.appendCommentToMap(key.LineComment, branch) handleValueComments := value.Kind == yaml.ScalarNode || value.Kind == yaml.AliasNode @@ -206,7 +206,7 @@ func (store *Store) appendSequence(in []interface{}, sequence *yaml.Node) { if beginning { comments = store.addCommentsHead(sequence, comments) } else { - comments = store.addCommentsFoot(sequence.Content[len(sequence.Content) - 1], comments) + comments = store.addCommentsFoot(sequence.Content[len(sequence.Content)-1], comments) } } } @@ -233,7 +233,7 @@ func (store *Store) appendTreeBranch(branch sops.TreeBranch, mapping *yaml.Node) if beginning { comments = store.addCommentsHead(mapping, comments) } else { - comments = store.addCommentsFoot(mapping.Content[len(mapping.Content) - 2], comments) + comments = store.addCommentsFoot(mapping.Content[len(mapping.Content)-2], comments) } } } @@ -262,7 +262,7 @@ func (store *Store) LoadEncryptedFile(in []byte) (sops.Tree, error) { } var branches sops.TreeBranches d := yaml.NewDecoder(bytes.NewReader(in)) - for true { + for { var data yaml.Node err := d.Decode(&data) if err == io.EOF { @@ -295,7 +295,7 @@ func (store *Store) LoadEncryptedFile(in []byte) (sops.Tree, error) { func (store *Store) LoadPlainFile(in []byte) (sops.TreeBranches, error) { var branches sops.TreeBranches d := yaml.NewDecoder(bytes.NewReader(in)) - for true { + for { var data yaml.Node err := d.Decode(&data) if err == io.EOF { @@ -317,7 +317,7 @@ func (store *Store) LoadPlainFile(in []byte) (sops.TreeBranches, error) { // EmitEncryptedFile returns the encrypted bytes of the yaml file corresponding to a // sops.Tree runtime object func (store *Store) EmitEncryptedFile(in sops.Tree) ([]byte, error) { - var b bytes.Buffer + var b bytes.Buffer e := yaml.NewEncoder(io.Writer(&b)) e.SetIndent(4) for _, branch := range in.Branches { @@ -331,7 +331,7 @@ func (store *Store) EmitEncryptedFile(in sops.Tree) ([]byte, error) { // Create copy of branch with metadata appended branch = append(sops.TreeBranch(nil), branch...) branch = append(branch, sops.TreeItem{ - Key: "sops", + Key: "sops", Value: stores.MetadataFromInternal(in.Metadata), }) // Marshal branch to global mapping node @@ -349,7 +349,7 @@ func (store *Store) EmitEncryptedFile(in sops.Tree) ([]byte, error) { // EmitPlainFile returns the plaintext bytes of the yaml file corresponding to a // sops.TreeBranches runtime object func (store *Store) EmitPlainFile(branches sops.TreeBranches) ([]byte, error) { - var b bytes.Buffer + var b bytes.Buffer e := yaml.NewEncoder(io.Writer(&b)) e.SetIndent(4) for _, branch := range branches { diff --git a/usererrors.go b/usererrors.go index 2476b0083..c800bad60 100644 --- a/usererrors.go +++ b/usererrors.go @@ -2,12 +2,12 @@ package sops import ( "fmt" - "io/ioutil" + "io" "strings" "github.com/fatih/color" "github.com/goware/prefixer" - wordwrap "github.com/mitchellh/go-wordwrap" + "github.com/mitchellh/go-wordwrap" ) // UserError is a well-formatted error for the purpose of being displayed to @@ -97,7 +97,7 @@ func (r *decryptGroupError) UserError() string { } reader := prefixer.New(strings.NewReader(message), " ") // Safe to ignore this error, as reading from a strings.Reader can't fail - errMsg, _ := ioutil.ReadAll(reader) + errMsg, _ := io.ReadAll(reader) return fmt.Sprintf("%s\n%s", header, string(errMsg)) } @@ -153,12 +153,12 @@ func (e *decryptKeyError) UserError() string { wrappedErr := wordwrap.WrapString(err.Error(), 60) reader := prefixer.New(strings.NewReader(wrappedErr), " | ") // Safe to ignore this error, as reading from a strings.Reader can't fail - errMsg, _ := ioutil.ReadAll(reader) + errMsg, _ := io.ReadAll(reader) errMsg[0] = '-' errMessages = append(errMessages, string(errMsg)) } joinedMsgs := strings.Join(errMessages, "\n\n") reader := prefixer.New(strings.NewReader(joinedMsgs), " ") - errMsg, _ := ioutil.ReadAll(reader) + errMsg, _ := io.ReadAll(reader) return fmt.Sprintf("%s\n%s", header, string(errMsg)) } From 751c1f725e080d8dba7684fd3af1dfc238b9909a Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 15 Aug 2023 00:00:43 +0200 Subject: [PATCH 054/135] build: remove `test.sh` wrapper My assumption is that this used to be in place because of `go` not ignoring the `vendor` directory. However, in 2023 this appears to no longer be an issue, and only adds complexity. While running `go test ./...` works just fine. Signed-off-by: Hidde Beydals --- .gitignore | 1 - Makefile | 4 +++- test.sh | 20 -------------------- 3 files changed, 3 insertions(+), 22 deletions(-) delete mode 100755 test.sh diff --git a/.gitignore b/.gitignore index 721fabef4..9d85dcfa7 100644 --- a/.gitignore +++ b/.gitignore @@ -2,5 +2,4 @@ bin/ dist/ Cargo.lock vendor/ -coverage.txt profile.out diff --git a/Makefile b/Makefile index 5dc0a574f..0c78bdaa0 100644 --- a/Makefile +++ b/Makefile @@ -4,7 +4,9 @@ PROJECT := github.com/getsops/sops/v3 PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST)))) + GO := GOPROXY=https://proxy.golang.org go +GO_TEST_FLAGS ?= -race -coverprofile=profile.out -covermode=atomic GITHUB_REPOSITORY ?= github.com/getsops/sops @@ -41,7 +43,7 @@ vet: .PHONY: test test: vendor gpg --import pgp/sops_functional_tests_key.asc 2>&1 1>/dev/null || exit 0 - ./test.sh + $(GO) test $(GO_TEST_FLAGS) ./... showcoverage: test $(GO) tool cover -html=coverage.out diff --git a/test.sh b/test.sh deleted file mode 100755 index d99b4e2f1..000000000 --- a/test.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env bash - -set -e -echo "" > coverage.txt - -failed=0 - -for d in $(go list ./... | grep -v vendor); do - go test -race -coverprofile=profile.out -covermode=atomic $d && true - rc=$? - if [ $rc != 0 ]; then - failed=$rc - fi - if [ -f profile.out ]; then - cat profile.out >> coverage.txt - rm profile.out - fi -done - -exit ${failed} From 5a8d6d232a6da52db5a3cc7654cdf811063b1027 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 15 Aug 2023 00:02:57 +0200 Subject: [PATCH 055/135] build: ignore `functional-tests/sops` This should just really not be put there, but lets be nice and ignore it for now. Signed-off-by: Hidde Beydals --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 9d85dcfa7..eb1f7c2a1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ bin/ dist/ +functional-tests/sops Cargo.lock vendor/ profile.out From 6cf3ab54adef35b764f64c5311264a9bf5c9e134 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 17 Aug 2023 00:13:52 +0200 Subject: [PATCH 056/135] build: ensure Syft is installed Signed-off-by: Hidde Beydals --- Makefile | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 0c78bdaa0..210dab2e9 100644 --- a/Makefile +++ b/Makefile @@ -4,18 +4,24 @@ PROJECT := github.com/getsops/sops/v3 PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST)))) +BIN_DIR := $(PROJECT_DIR)/bin GO := GOPROXY=https://proxy.golang.org go GO_TEST_FLAGS ?= -race -coverprofile=profile.out -covermode=atomic GITHUB_REPOSITORY ?= github.com/getsops/sops -STATICCHECK := $(PROJECT_DIR)/bin/staticcheck +STATICCHECK := $(BIN_DIR)/staticcheck STATICCHECK_VERSION := latest -GORELEASER := $(PROJECT_DIR)/bin/goreleaser +SYFT := $(BIN_DIR)/syft +SYFT_VERSION ?= v0.87.0 + +GORELEASER := $(BIN_DIR)/goreleaser GORELEASER_VERSION ?= v1.20.0 +export PATH := $(BIN_DIR):$(PATH) + .PHONY: all all: test vet generate install functional-tests @@ -68,7 +74,7 @@ functional-tests-all: cd functional-tests && cargo test && cargo test -- --ignored .PHONY: release-snapshot -release-snapshot: install-goreleaser +release-snapshot: install-goreleaser install-syft GITHUB_REPOSITORY=$(GITHUB_REPOSITORY) $(GORELEASER) release --clean --snapshot --skip-sign .PHONY: install-staticcheck @@ -79,6 +85,10 @@ install-staticcheck: install-goreleaser: $(call go-install-tool,$(GORELEASER),github.com/goreleaser/goreleaser@$(GORELEASER_VERSION),$(GORELEASER_VERSION)) +.PHONY: install-syft +install-syft: + $(call go-install-tool,$(SYFT),github.com/anchore/syft/cmd/syft@$(SYFT_VERSION),$(SYFT_VERSION)) + # go-install-tool will 'go install' any package $2 and install it to $1. define go-install-tool @[ -f $(1)-$(3) ] || { \ From da9b9aa226c2627f0c522bad7cb6753364013fbd Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 17 Aug 2023 00:27:28 +0200 Subject: [PATCH 057/135] build: add `clean` and delete `tag` Signed-off-by: Hidde Beydals --- Makefile | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 210dab2e9..a8e417941 100644 --- a/Makefile +++ b/Makefile @@ -28,12 +28,10 @@ all: test vet generate install functional-tests .PHONY: origin-build origin-build: test vet generate install functional-tests-all +.PHONY: install install: $(GO) install github.com/getsops/sops/v3/cmd/sops -tag: all - git tag -s $(TAGVER) -a -m "$(TAGMSG)" - .PHONY: staticcheck staticcheck: install-staticcheck $(STATICCHECK) ./... @@ -43,6 +41,7 @@ vendor: $(GO) mod tidy $(GO) mod vendor +.PHONY: vet vet: $(GO) vet ./... @@ -51,8 +50,9 @@ test: vendor gpg --import pgp/sops_functional_tests_key.asc 2>&1 1>/dev/null || exit 0 $(GO) test $(GO_TEST_FLAGS) ./... +.PHONY: showcoverage showcoverage: test - $(GO) tool cover -html=coverage.out + $(GO) tool cover -html=profile.out .PHONY: generate generate: keyservice/keyservice.pb.go @@ -77,6 +77,10 @@ functional-tests-all: release-snapshot: install-goreleaser install-syft GITHUB_REPOSITORY=$(GITHUB_REPOSITORY) $(GORELEASER) release --clean --snapshot --skip-sign +.PHONY: clean +clean: + rm -rf $(BIN_DIR) profile.out functional-tests/sops + .PHONY: install-staticcheck install-staticcheck: $(call go-install-tool,$(STATICCHECK),honnef.co/go/tools/cmd/staticcheck@$(STATICCHECK_VERSION),$(STATICCHECK_VERSION)) From 31eb43cfaca2e25f3699aad9aa98503ee207aa90 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 22 Aug 2023 21:34:04 +0200 Subject: [PATCH 058/135] Update dependencies - cloud.google.com/go/storage to v1.32.0 - github.com/Azure/azure-sdk-for-go/sdk/azcore to v1.7.1 - github.com/Azure/azure-sdk-for-go/sdk/azidentity to v1.3.1 - github.com/ProtonMail/go-crypto to v0.0.0-20230717121422-5aa5874ade95 - github.com/aws/aws-sdk-go-v2 to v1.21.0 - github.com/aws/aws-sdk-go-v2/config to v1.18.36 - github.com/aws/aws-sdk-go-v2/credentials to v1.13.35 - github.com/aws/aws-sdk-go-v2/feature/s3/manager to v1.11.80 - github.com/aws/aws-sdk-go-v2/service/kms to v1.24.5 - github.com/aws/aws-sdk-go-v2/service/s3 to v1.38.5 - github.com/aws/aws-sdk-go-v2/service/sts to v1.21.5 - google.golang.org/api to v0.138.0 - google.golang.org/genproto to v0.0.0-20230822172742-b8732ec3820d - google.golang.org/genproto/googleapis/rpc to v0.0.0-20230822172742-b8732ec3820d Signed-off-by: Hidde Beydals --- go.mod | 62 ++++++++++++++--------------- go.sum | 124 ++++++++++++++++++++++++++++----------------------------- 2 files changed, 93 insertions(+), 93 deletions(-) diff --git a/go.mod b/go.mod index fb0fbb92b..bd93f7b92 100644 --- a/go.mod +++ b/go.mod @@ -4,19 +4,19 @@ go 1.19 require ( cloud.google.com/go/kms v1.15.1 - cloud.google.com/go/storage v1.31.0 + cloud.google.com/go/storage v1.32.0 filippo.io/age v1.1.1 - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.0 - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1 + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.0 - github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec - github.com/aws/aws-sdk-go-v2 v1.20.1 - github.com/aws/aws-sdk-go-v2/config v1.18.33 - github.com/aws/aws-sdk-go-v2/credentials v1.13.32 - github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.77 - github.com/aws/aws-sdk-go-v2/service/kms v1.24.2 - github.com/aws/aws-sdk-go-v2/service/s3 v1.38.2 - github.com/aws/aws-sdk-go-v2/service/sts v1.21.2 + github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95 + github.com/aws/aws-sdk-go-v2 v1.21.0 + github.com/aws/aws-sdk-go-v2/config v1.18.36 + github.com/aws/aws-sdk-go-v2/credentials v1.13.35 + github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.80 + github.com/aws/aws-sdk-go-v2/service/kms v1.24.5 + github.com/aws/aws-sdk-go-v2/service/s3 v1.38.5 + github.com/aws/aws-sdk-go-v2/service/sts v1.21.5 github.com/blang/semver v3.5.1+incompatible github.com/fatih/color v1.15.0 github.com/getsops/gopgagent v0.0.0-20170926210634-4d7ea76ff71a @@ -36,9 +36,9 @@ require ( golang.org/x/net v0.14.0 golang.org/x/sys v0.11.0 golang.org/x/term v0.11.0 - google.golang.org/api v0.136.0 - google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5 - google.golang.org/genproto/googleapis/rpc v0.0.0-20230807174057-1744710a1577 + google.golang.org/api v0.138.0 + google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d + google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d google.golang.org/grpc v1.57.0 google.golang.org/protobuf v1.31.0 gopkg.in/ini.v1 v1.67.0 @@ -46,29 +46,29 @@ require ( ) require ( - cloud.google.com/go v0.110.6 // indirect + cloud.google.com/go v0.110.7 // indirect cloud.google.com/go/compute v1.23.0 // indirect cloud.google.com/go/compute/metadata v0.2.3 // indirect cloud.google.com/go/iam v1.1.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0 // indirect github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect - github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect github.com/Microsoft/go-winio v0.6.0 // indirect github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect - github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.12 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.8 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.38 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.32 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.3.39 // indirect - github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.1 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.13 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.33 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.32 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.1 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.13.2 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.2 // indirect - github.com/aws/smithy-go v1.14.1 // indirect + github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.13 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.3.42 // indirect + github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.4 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.14 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.36 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.4 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.13.5 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.5 // indirect + github.com/aws/smithy-go v1.14.2 // indirect github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/cenkalti/backoff/v4 v4.1.3 // indirect github.com/cloudflare/circl v1.3.3 // indirect @@ -81,9 +81,9 @@ require ( github.com/docker/go-units v0.4.0 // indirect github.com/go-jose/go-jose/v3 v3.0.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang-jwt/jwt/v4 v4.5.0 // indirect + github.com/golang-jwt/jwt/v5 v5.0.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/google/s2a-go v0.1.4 // indirect + github.com/google/s2a-go v0.1.5 // indirect github.com/google/uuid v1.3.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect github.com/googleapis/gax-go/v2 v2.12.0 // indirect diff --git a/go.sum b/go.sum index 98c3480e8..0d501bddf 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.110.6 h1:8uYAkj3YHTP/1iwReuHPxLSbdcyc+dSBbzFMrVwDR6Q= -cloud.google.com/go v0.110.6/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI= +cloud.google.com/go v0.110.7 h1:rJyC7nWRg2jWGZ4wSJ5nY65GTdYJkg0cd/uXb+ACI6o= +cloud.google.com/go v0.110.7/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI= cloud.google.com/go/compute v1.23.0 h1:tP41Zoavr8ptEqaW6j+LQOnyBBhO7OkOMAGrgLopTwY= cloud.google.com/go/compute v1.23.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= @@ -10,14 +10,14 @@ cloud.google.com/go/iam v1.1.1 h1:lW7fzj15aVIXYHREOqjRBV9PsH0Z6u8Y46a1YGvQP4Y= cloud.google.com/go/iam v1.1.1/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU= cloud.google.com/go/kms v1.15.1 h1:HUC3fAoepH3RpcQXiJhXWWYizjQ5r7YjI7SO9ZbHf9s= cloud.google.com/go/kms v1.15.1/go.mod h1:c9J991h5DTl+kg7gi3MYomh12YEENGrf48ee/N/2CDM= -cloud.google.com/go/storage v1.31.0 h1:+S3LjjEN2zZ+L5hOwj4+1OkGCsLVe0NzpXKQ1pSdTCI= -cloud.google.com/go/storage v1.31.0/go.mod h1:81ams1PrhW16L4kF7qg+4mTq7SRs5HsbDTM0bWvrwJ0= +cloud.google.com/go/storage v1.32.0 h1:5w6DxEGOnktmJHarxAOUywxVW9lbNWIzlzzUltG/3+o= +cloud.google.com/go/storage v1.32.0/go.mod h1:Hhh/dogNRGca7IWv1RC2YqEn0c0G77ctA/OxflYkiD8= filippo.io/age v1.1.1 h1:pIpO7l151hCnQ4BdyBujnGP2YlUo0uj6sAVNHGBvXHg= filippo.io/age v1.1.1/go.mod h1:l03SrzDUrBkdBx8+IILdnn2KZysqQdbEBUQ4p3sqEQE= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.0 h1:8q4SaHjFsClSvuVne0ID/5Ka8u3fcIHyqkLjcFpNRHQ= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.0/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 h1:vcYCAze6p19qBW7MhZybIsqD8sMV8js0NyQM8JDnVtg= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0/go.mod h1:OQeznEEkTZ9OrhHJoDD8ZDq51FHgXjqtP9z6bEwBq9U= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1 h1:/iHxaJhsFr0+xVFfbMr5vxz848jyiWuIEDhYq3y5odY= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 h1:LNHhpdK7hzUcx/k1LIcuh5k7k1LGIWLQfCjaneSj7Fc= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1/go.mod h1:uE9zaUfEQT/nbQjVi2IblCG9iaLtZsuYZ8ne+PuQ02M= github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY= github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.0 h1:yfJe15aSwEQ6Oo6J+gdfdulPNoZ3TEhmbhLIoxZcA+U= @@ -26,58 +26,58 @@ github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0 h1:T028g github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0/go.mod h1:cw4zVQgBby0Z5f2v0itn6se2dDP17nTjbZFXW5uPyHA= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= -github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 h1:OBhqkivkhkMqLPymWEppkm7vgPQY2XsHoEkaMQ0AdZY= -github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0/go.mod h1:kgDmCTgBzIEPFElEF+FK0SdjAor06dRq2Go927dnQ6o= +github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 h1:WpB/QDNLpMw72xHJc34BNNykqSOeEJDAWkhf0u12/Jk= +github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg= github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE= github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw= github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk= -github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec h1:vV3RryLxt42+ZIVOFbYJCH1jsZNTNmj2NYru5zfx+4E= -github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= +github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95 h1:KLq8BE0KwCL+mmXnjLWEAOYO+2l2AE4YMmqG1ZpZHBs= +github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= -github.com/aws/aws-sdk-go-v2 v1.20.1 h1:rZBf5DWr7YGrnlTK4kgDQGn1ltqOg5orCYb/UhOFZkg= -github.com/aws/aws-sdk-go-v2 v1.20.1/go.mod h1:NU06lETsFm8fUC6ZjhgDpVBcGZTFQ6XM+LZWZxMI4ac= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.12 h1:lN6L3LrYHeZ6xCxaIYtoWCx4GMLk4nRknsh29OMSqHY= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.12/go.mod h1:TDCkEAkMTXxTs0oLBGBKpBZbk3NLh8EvAfF0Q3x8/0c= -github.com/aws/aws-sdk-go-v2/config v1.18.33 h1:JKcw5SFxFW/rpM4mOPjv0VQ11E2kxW13F3exWOy7VZU= -github.com/aws/aws-sdk-go-v2/config v1.18.33/go.mod h1:hXO/l9pgY3K5oZJldamP0pbZHdPqqk+4/maa7DSD3cA= -github.com/aws/aws-sdk-go-v2/credentials v1.13.32 h1:lIH1eKPcCY1ylR4B6PkBGRWMHO3aVenOKJHWiS4/G2w= -github.com/aws/aws-sdk-go-v2/credentials v1.13.32/go.mod h1:lL8U3v/Y79YRG69WlAho0OHIKUXCyFvSXaIvfo81sls= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.8 h1:DK/9C+UN/X+1+Wm8pqaDksQr2tSLzq+8X1/rI/ZxKEQ= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.8/go.mod h1:ce7BgLQfYr5hQFdy67oX2svto3ufGtm6oBvmsHScI1Q= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.77 h1:oWSNL9oQy+do911sXpJyIc2J7RiUrbm9BecyaGy1wHo= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.77/go.mod h1:xvOdc97VpScJqB10YAI8r/cKuU7d9Ls/as03KROO2qY= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.38 h1:c8ed/T9T2K5I+h/JzmF5tpI46+OODQ74dzmdo+QnaMg= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.38/go.mod h1:qggunOChCMu9ZF/UkAfhTz25+U2rLVb3ya0Ua6TTfCA= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.32 h1:hNeAAymUY5gu11WrrmFb3CVIp9Dar9hbo44yzzcQpzA= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.32/go.mod h1:0ZXSqrty4FtQ7p8TEuRde/SZm9X05KT18LAUlR40Ln0= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.39 h1:fc0ukRAiP1syoSGZYu+DaE+FulSYhTiJ8WpVu5jElU4= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.39/go.mod h1:WLAW8PT7+JhjZfLSWe7WEJaJu0GNo0cKc2Zyo003RBs= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.1 h1:vUh7dBFNS3oFCtVv6CiYKh5hP9ls8+kIpKLeFruIBLk= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.1/go.mod h1:sFMeinkhj/SZKQM8BxtvNtSPjJEo0Xrz+w3g2e4FSKI= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.13 h1:iV/W5OMBys+66OeXJi/7xIRrKZNsu0ylsLGu+6nbmQE= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.13/go.mod h1:ReJb6xYmtGyu9KoFtRreWegbN9dZqvZIIv4vWnhcsyI= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.33 h1:QviNkc+vGSuEHx8P+pVNKOdWLXBPIwMFv7p0fphgE4U= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.33/go.mod h1:fABTUmOrAgAalG2i9WJpjBvlnk7UK8YmnYaxN+Q2CwE= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.32 h1:dGAseBFEYxth10V23b5e2mAS+tX7oVbfYHD6dnDdAsg= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.32/go.mod h1:4jwAWKEkCR0anWk5+1RbfSg1R5Gzld7NLiuaq5bTR/Y= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.1 h1:PT6PBCycRwhpEW5hJnRiceCeoWJ+r3bdgXtV+VKG7Pk= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.1/go.mod h1:TqoxCLwT2nrxrBGA+z7t6OWM7LBkgRckK3gOjYE+7JA= -github.com/aws/aws-sdk-go-v2/service/kms v1.24.2 h1:I2ximKQ1xcMEOP1a4Dy2g/lCgqOTpHG/0Fpx2luA6QE= -github.com/aws/aws-sdk-go-v2/service/kms v1.24.2/go.mod h1:RwNGVcn98yGMXThTfLwa/+COSUXJ1opCiIETNxP4GNc= -github.com/aws/aws-sdk-go-v2/service/s3 v1.38.2 h1:v346f1h8sUBKXnEbrv43L37MTBlFHyKXQPIZHNAaghA= -github.com/aws/aws-sdk-go-v2/service/s3 v1.38.2/go.mod h1:cwCATiyNrXK9P2FsWdZ89g9mpsYv2rhk0UA/KByl5fY= -github.com/aws/aws-sdk-go-v2/service/sso v1.13.2 h1:A2RlEMo4SJSwbNoUUgkxTAEMduAy/8wG3eB2b2lP4gY= -github.com/aws/aws-sdk-go-v2/service/sso v1.13.2/go.mod h1:ju+nNXUunfIFamXUIZQiICjnO/TPlOmWcYhZcSy7xaE= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.2 h1:OJELEgyaT2kmaBGZ+myyZbTTLobfe3ox3FSh5eYK9Qs= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.2/go.mod h1:ubDBBaDFs1GHijSOTi8ljppML15GLG0HxhILtbjNNYQ= -github.com/aws/aws-sdk-go-v2/service/sts v1.21.2 h1:ympg1+Lnq33XLhcK/xTG4yZHPs1Oyxu+6DEWbl7qOzA= -github.com/aws/aws-sdk-go-v2/service/sts v1.21.2/go.mod h1:FQ/DQcOfESELfJi5ED+IPPAjI5xC6nxtSolVVB773jM= -github.com/aws/smithy-go v1.14.1 h1:EFKMUmH/iHMqLiwoEDx2rRjRQpI1YCn5jTysoaDujFs= -github.com/aws/smithy-go v1.14.1/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/aws/aws-sdk-go-v2 v1.21.0 h1:gMT0IW+03wtYJhRqTVYn0wLzwdnK9sRMcxmtfGzRdJc= +github.com/aws/aws-sdk-go-v2 v1.21.0/go.mod h1:/RfNgGmRxI+iFOB1OeJUyxiU+9s88k3pfHvDagGEp0M= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.13 h1:OPLEkmhXf6xFPiz0bLeDArZIDx1NNS4oJyG4nv3Gct0= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.13/go.mod h1:gpAbvyDGQFozTEmlTFO8XcQKHzubdq0LzRyJpG6MiXM= +github.com/aws/aws-sdk-go-v2/config v1.18.36 h1:mLNA12PWU1Y+ueOO79QgQfKIPhc1MYKl44RmvASkJ7Q= +github.com/aws/aws-sdk-go-v2/config v1.18.36/go.mod h1:8AnEFxW9/XGKCbjYDCJy7iltVNyEI9Iu9qC21UzhhgQ= +github.com/aws/aws-sdk-go-v2/credentials v1.13.35 h1:QpsNitYJu0GgvMBLUIYu9H4yryA5kMksjeIVQfgXrt8= +github.com/aws/aws-sdk-go-v2/credentials v1.13.35/go.mod h1:o7rCaLtvK0hUggAGclf76mNGGkaG5a9KWlp+d9IpcV8= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11 h1:uDZJF1hu0EVT/4bogChk8DyjSF6fof6uL/0Y26Ma7Fg= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11/go.mod h1:TEPP4tENqBGO99KwVpV9MlOX4NSrSLP8u3KRy2CDwA8= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.80 h1:UrlTIXE+X+u/680ZIPkuM5QYg1D5+bWjlOGlOfHCptU= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.80/go.mod h1:57ALQch4qLc5kVWTHloB61HfmMc8ZlAgia3xEO2Bolc= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41 h1:22dGT7PneFMx4+b3pz7lMTRyN8ZKH7M2cW4GP9yUS2g= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41/go.mod h1:CrObHAuPneJBlfEJ5T3szXOUkLEThaGfvnhTf33buas= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35 h1:SijA0mgjV8E+8G45ltVHs0fvKpTj8xmZJ3VwhGKtUSI= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35/go.mod h1:SJC1nEVVva1g3pHAIdCp7QsRIkMmLAgoDquQ9Rr8kYw= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.42 h1:GPUcE/Yq7Ur8YSUk6lVkoIMWnJNO0HT18GUzCWCgCI0= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.42/go.mod h1:rzfdUlfA+jdgLDmPKjd3Chq9V7LVLYo1Nz++Wb91aRo= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.4 h1:6lJvvkQ9HmbHZ4h/IEwclwv2mrTW8Uq1SOB/kXy0mfw= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.4/go.mod h1:1PrKYwxTM+zjpw9Y41KFtoJCQrJ34Z47Y4VgVbfndjo= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.14 h1:m0QTSI6pZYJTk5WSKx3fm5cNW/DCicVzULBgU/6IyD0= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.14/go.mod h1:dDilntgHy9WnHXsh7dDtUPgHKEfTJIBUTHM8OWm0f/0= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.36 h1:eev2yZX7esGRjqRbnVk1UxMLw4CyVZDpZXRCcy75oQk= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.36/go.mod h1:lGnOkH9NJATw0XEPcAknFBj3zzNTEGRHtSw+CwC1YTg= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35 h1:CdzPW9kKitgIiLV1+MHobfR5Xg25iYnyzWZhyQuSlDI= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35/go.mod h1:QGF2Rs33W5MaN9gYdEQOBBFPLwTZkEhRwI33f7KIG0o= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.4 h1:v0jkRigbSD6uOdwcaUQmgEwG1BkPfAPDqaeNt/29ghg= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.4/go.mod h1:LhTyt8J04LL+9cIt7pYJ5lbS/U98ZmXovLOR/4LUsk8= +github.com/aws/aws-sdk-go-v2/service/kms v1.24.5 h1:VNEw+EdYDUdkICYAVQ6n9WoAq8ZuZr7dXKjyaOw94/Q= +github.com/aws/aws-sdk-go-v2/service/kms v1.24.5/go.mod h1:NZEhPgq+vvmM6L9w+xl78Vf7YxqUcpVULqFdrUhHg8I= +github.com/aws/aws-sdk-go-v2/service/s3 v1.38.5 h1:A42xdtStObqy7NGvzZKpnyNXvoOmm+FENobZ0/ssHWk= +github.com/aws/aws-sdk-go-v2/service/s3 v1.38.5/go.mod h1:rDGMZA7f4pbmTtPOk5v5UM2lmX6UAbRnMDJeDvnH7AM= +github.com/aws/aws-sdk-go-v2/service/sso v1.13.5 h1:oCvTFSDi67AX0pOX3PuPdGFewvLRU2zzFSrTsgURNo0= +github.com/aws/aws-sdk-go-v2/service/sso v1.13.5/go.mod h1:fIAwKQKBFu90pBxx07BFOMJLpRUGu8VOzLJakeY+0K4= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.5 h1:dnInJb4S0oy8aQuri1mV6ipLlnZPfnsDNB9BGO9PDNY= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.5/go.mod h1:yygr8ACQRY2PrEcy3xsUI357stq2AxnFM6DIsR9lij4= +github.com/aws/aws-sdk-go-v2/service/sts v1.21.5 h1:CQBFElb0LS8RojMJlxRSo/HXipvTZW2S44Lt9Mk2aYQ= +github.com/aws/aws-sdk-go-v2/service/sts v1.21.5/go.mod h1:VC7JDqsqiwXukYEDjoHh9U0fOJtNWh04FPQz4ct4GGU= +github.com/aws/smithy-go v1.14.2 h1:MJU9hqBGbvWZdApzpvoF2WAIJDbtjK2NDJSiJP7HblQ= +github.com/aws/smithy-go v1.14.2/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= @@ -144,8 +144,8 @@ github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= -github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE= +github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= @@ -179,8 +179,8 @@ github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw= -github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc= -github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= +github.com/google/s2a-go v0.1.5 h1:8IYp3w9nysqv3JH+NJgXJzGbDHzLOTj43BmSkp+O7qg= +github.com/google/s2a-go v0.1.5/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -453,8 +453,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -google.golang.org/api v0.136.0 h1:e/6enzUE1s4tGPa6Q3ZYShKTtvRc+1Jq0rrafhppmOs= -google.golang.org/api v0.136.0/go.mod h1:XtJfF+V2zgUxelOn5Zs3kECtluMxneJG8ZxUTlLNTPA= +google.golang.org/api v0.138.0 h1:K/tVp05MxNVbHShRw9m7e9VJGdagNeTdMzqPH7AUqr0= +google.golang.org/api v0.138.0/go.mod h1:4xyob8CxC+0GChNBvEUAk8VBKNvYOTWM9T3v3UfRxuY= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= @@ -463,12 +463,12 @@ google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoA google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5 h1:L6iMMGrtzgHsWofoFcihmDEMYeDR9KN/ThbPWGrh++g= -google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5/go.mod h1:oH/ZOT02u4kWEp7oYBGYFFkCdKS/uYR9Z7+0/xuuFp8= +google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d h1:VBu5YqKPv6XiJ199exd8Br+Aetz+o08F+PLMnwJQHAY= +google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4= google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5 h1:nIgk/EEq3/YlnmVVXVnm14rC2oxgs1o0ong4sD/rd44= google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5/go.mod h1:5DZzOUPCLYL3mNkQ0ms0F3EuUNZ7py1Bqeq6sxzI7/Q= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230807174057-1744710a1577 h1:wukfNtZmZUurLN/atp2hiIeTKn7QJWIQdHzqmsOnAOk= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230807174057-1744710a1577/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d h1:uvYuEyMHKNt+lT4K3bN6fGswmK8qSvcreM3BwjDh+y4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= From 1c8f44c308c6819e824f6b5227352c3707a17914 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Wed, 16 Aug 2023 22:55:26 +0200 Subject: [PATCH 059/135] release: properly enquote version ldflag Signed-off-by: Hidde Beydals --- .goreleaser.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index db87d598b..17b173aa9 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -27,7 +27,7 @@ builds: ldflags: - > -s -w - -X {{ .Env.PKG }}.Version={{ .Version }}" + -X "{{ .Env.PKG }}.Version={{ .Version }}" goos: - linux goarch: From 56df701f682d50710084b0add8b24487de13701a Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Wed, 16 Aug 2023 23:21:11 +0200 Subject: [PATCH 060/135] version: rewrite command to use GitHub endpoints This changes the logic of parsing the `version.go` file from a certain branch to instead make use of the GitHub latest release redirect or API[1] endpoints for checking if `sops` is on the latest version. Detaching any future release of SOPS from specific file structures and/or branches, and (theoretically) freeing it from the requirement of having to bump the version in-code during release (as this is also done using `-ldflags` during build). Were it not for the fact that we have to maintain it for backwards compatibility. [1]: https://docs.github.com/en/free-pro-team@latest/rest/releases/releases?apiVersion=2022-11-28#get-the-latest-release Signed-off-by: Hidde Beydals --- go.mod | 2 +- version/version.go | 218 +++++++++++++++++++++++++++------ version/version_test.go | 261 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 440 insertions(+), 41 deletions(-) create mode 100644 version/version_test.go diff --git a/go.mod b/go.mod index bd93f7b92..2e5ab453f 100644 --- a/go.mod +++ b/go.mod @@ -24,6 +24,7 @@ require ( github.com/google/go-cmp v0.5.9 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 github.com/goware/prefixer v0.0.0-20160118172347-395022866408 + github.com/hashicorp/go-cleanhttp v0.5.2 github.com/hashicorp/vault/api v1.9.2 github.com/lib/pq v1.10.9 github.com/mitchellh/go-homedir v1.1.0 @@ -88,7 +89,6 @@ require ( github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect github.com/googleapis/gax-go/v2 v2.12.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect - github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-hclog v1.2.1 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect github.com/hashicorp/go-retryablehttp v0.7.1 // indirect diff --git a/version/version.go b/version/version.go index 095433130..006a16152 100644 --- a/version/version.go +++ b/version/version.go @@ -1,44 +1,57 @@ package version import ( - "bufio" + "encoding/json" "fmt" "net/http" "strings" "github.com/blang/semver" + "github.com/hashicorp/go-cleanhttp" "github.com/urfave/cli" ) -// Version represents the value of the current semantic version +// Version represents the value of the current semantic version. var Version = "3.7.3" -// PrintVersion handles the version command for sops +// PrintVersion prints the current version of sops. If the flag +// `--disable-version-check` is set, the function will not attempt +// to retrieve the latest version from the GitHub API. +// +// If the flag is not set, the function will attempt to retrieve +// the latest version from the GitHub API and compare it to the +// current version. If the latest version is newer, the function +// will print a message to stdout. func PrintVersion(c *cli.Context) { - out := fmt.Sprintf("%s %s", c.App.Name, c.App.Version) + out := strings.Builder{} + + out.WriteString(fmt.Sprintf("%s %s", c.App.Name, c.App.Version)) + if c.Bool("disable-version-check") { - out += "\n" + out.WriteString("\n") } else { - upstreamVersion, err := RetrieveLatestVersionFromUpstream() - if err != nil { - out += fmt.Sprintf("\n[warning] failed to retrieve latest version from upstream: %v\n", err) - } - outdated, err := AIsNewerThanB(upstreamVersion, Version) + upstreamVersion, upstreamURL, err := RetrieveLatestReleaseVersion() if err != nil { - out += fmt.Sprintf("\n[warning] failed to compare current version with latest: %v\n", err) + out.WriteString(fmt.Sprintf("\n[warning] failed to retrieve latest version from upstream: %v\n", err)) } else { - if outdated { - out += fmt.Sprintf("\n[info] sops %s is available, update with `go get -u github.com/getsops/sops/v3/cmd/sops`\n", upstreamVersion) + outdated, err := AIsNewerThanB(upstreamVersion, Version) + if err != nil { + out.WriteString(fmt.Sprintf("\n[warning] failed to compare current version with latest: %v\n", err)) } else { - out += " (latest)\n" + if outdated { + out.WriteString(fmt.Sprintf("\n[info] a new version of sops (%s) is available, you can update by visiting: %s\n", upstreamVersion, upstreamURL)) + } else { + out.WriteString(" (latest)\n") + } } } } - fmt.Fprintf(c.App.Writer, "%s", out) + fmt.Fprintf(c.App.Writer, "%s", out.String()) } -// AIsNewerThanB takes 2 semver strings are returns true -// is the A is newer than B, false otherwise +// AIsNewerThanB compares two semantic versions and returns true if A is newer +// than B. The function will return an error if either version is not a valid +// semantic version. func AIsNewerThanB(A, B string) (bool, error) { if strings.HasPrefix(B, "1.") { // sops 1.0 doesn't use the semver format, which will @@ -46,6 +59,10 @@ func AIsNewerThanB(A, B string) (bool, error) { // more recent than 1.X anyway, return true right away return true, nil } + + // Trim the leading "v" from the version strings, if present. + A, B = strings.TrimPrefix(A, "v"), strings.TrimPrefix(B, "v") + vA, err := semver.Make(A) if err != nil { return false, err @@ -61,31 +78,152 @@ func AIsNewerThanB(A, B string) (bool, error) { return false, nil } -// RetrieveLatestVersionFromUpstream gets the latest version from the source code at Github +// RetrieveLatestVersionFromUpstream retrieves the most recent release version +// from GitHub. The function returns the latest version as a string, or an +// error if the request fails or the response cannot be parsed. +// +// Deprecated: This function is deprecated in favor of +// RetrieveLatestReleaseVersion, which also provides the URL of the latest +// release. func RetrieveLatestVersionFromUpstream() (string, error) { - resp, err := http.Get("https://raw.githubusercontent.com/getsops/sops/master/version/version.go") - if err != nil { - return "", err - } - defer resp.Body.Close() - scanner := bufio.NewScanner(resp.Body) - for scanner.Scan() { - line := scanner.Text() - if strings.HasPrefix(line, `const Version = "`) { - comps := strings.Split(line, `"`) - if len(comps) < 2 { - return "", fmt.Errorf("Failed to parse version from upstream source") - } - // try to parse the version as semver - _, err := semver.Make(comps[1]) - if err != nil { - return "", fmt.Errorf("Retrieved version %q does not match semver format: %w", comps[1], err) - } - return comps[1], nil + tag, _, err := RetrieveLatestReleaseVersion() + return strings.TrimPrefix(tag, "v"), err +} + +// RetrieveLatestReleaseVersion fetches the latest release version from GitHub. +// Returns the latest version as a string and the release URL, or an error if +// the request failed or the response could not be parsed. +// +// The function first attempts redirection-based retrieval (HTTP 301). It's +// preferred over GitHub API due to no rate limiting, but may break on +// redirect changes. If the first attempt fails, it falls back to the GitHub +// API. +// +// Unlike RetrieveLatestVersionFromUpstream, it returns the tag (e.g. "v3.7.3"). +func RetrieveLatestReleaseVersion() (tag, url string, err error) { + const repository = "mozilla/sops" + return newReleaseFetcher().LatestRelease(repository) +} + +// newReleaseFetcher creates and returns a new instance of the releaseFetcher, +// preconfigured with the necessary endpoint information for redirection-based +// and API-based release retrieval. +func newReleaseFetcher() releaseFetcher { + return releaseFetcher{ + endpoint: "https://github.com", + apiEndpoint: "https://api.github.com", + } +} + +// releaseFetcher is a helper struct used for fetching release information +// from GitHub. It encapsulates the necessary endpoints for redirection-based +// and API-based retrieval methods. +type releaseFetcher struct { + endpoint string + apiEndpoint string +} + +// LatestRelease retrieves the most recent release version for a given repository +// by first attempting to fetch it using redirection-based approach. If this +// attempt fails, it then falls back to the versioned GitHub API for retrieval. +// +// It returns the latest version as a string along with its corresponding URL, or +// an error in case both retrieval methods are unsuccessful. +// +// This function combines the advantages of both retrieval strategies: the resilience +// of the redirection-based approach and the reliability of the versioned API usage. +// However, it's worth noting that the API usage can be affected by GitHub's rate limiting. +func (f releaseFetcher) LatestRelease(repository string) (tag, url string, err error) { + if tag, url, err = f.LatestReleaseUsingRedirect(repository); err == nil { + return + } + return f.LatestReleaseUsingAPI(repository) +} + +// LatestReleaseUsingRedirect fetches the most recent version of a release +// from the GitHub API. It returns the latest version as a string, along with +// its corresponding URL, or an error in case of a failed request or if the +// response couldn't be parsed. +// +// This method employs a customized HTTP client capable of following HTTP 301 +// redirects, which might occur due to repository renaming. It's important to +// note that it does not follow HTTP 302 redirects, the type GitHub employs +// for redirecting to the latest release. +// +// Compared to LatestReleaseUsingAPI, this approach circumvents potential GitHub +// API rate limiting. However, it's worth considering that changes in GitHub's +// redirect handling could potentially disrupt its functionality. +func (f releaseFetcher) LatestReleaseUsingRedirect(repository string) (tag, url string, err error) { + client := cleanhttp.DefaultClient() + client.CheckRedirect = func(req *http.Request, via []*http.Request) error { + // Follow HTTP 301 redirects, which may be present due to the + // repository being renamed. But do not follow HTTP 302 redirects, + // which is what GitHub uses to redirect to the latest release. + if req.Response.StatusCode == 302 { + return http.ErrUseLastResponse } + return nil + } + + resp, err := client.Head(fmt.Sprintf("%s/%s/releases/latest", f.endpoint, repository)) + if err != nil { + return "", "", err + } + if resp.Body != nil { + defer resp.Body.Close() + } + + if resp.StatusCode < 300 || resp.StatusCode > 399 { + return "", "", fmt.Errorf("unexpected status code: %d", resp.StatusCode) + } + + location := resp.Header.Get("Location") + if location == "" { + return "", "", fmt.Errorf("missing Location header") + } + + tagMarker := "releases/tag/" + if tagIndex := strings.Index(location, tagMarker); tagIndex != -1 { + return location[tagIndex+len(tagMarker):], location, nil + } + return "", "", fmt.Errorf("unexpected Location header: %s", location) +} + +// LatestReleaseUsingAPI retrieves the most recent release version from the +// GitHub API. It returns the latest version as a string, along with its +// corresponding URL, or an error in case of request failure or parsing issues +// with the response. +// +// This approach boasts higher reliability compared to +// LatestReleaseUsingRedirect as it leverages the versioned GitHub API. +// However, it can be affected by GitHub API rate limiting. +func (f releaseFetcher) LatestReleaseUsingAPI(repository string) (tag, url string, err error) { + req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("%s/%s/releases/latest", f.apiEndpoint, repository), nil) + if err != nil { + return "", "", err + } + req.Header.Set("Accept", "application/vnd.github+json") + req.Header.Set("X-GitHub-Api-Version", "2022-11-28") + + res, err := cleanhttp.DefaultClient().Do(req) + if err != nil { + return "", "", fmt.Errorf("GitHub API request failed: %v", err) + } + if res.Body != nil { + defer res.Body.Close() + } + + if res.StatusCode != http.StatusOK { + return "", "", fmt.Errorf("GitHub API request failed with status code: %d", res.StatusCode) + } + + type release struct { + URL string `json:"html_url"` + Tag string `json:"tag_name"` } - if err := scanner.Err(); err != nil { - return "", err + var m release + if err := json.NewDecoder(res.Body).Decode(&m); err != nil { + return "", "", err } - return "", fmt.Errorf("Version information not found in upstream file") + return m.Tag, m.URL, nil } diff --git a/version/version_test.go b/version/version_test.go new file mode 100644 index 000000000..54f6340e3 --- /dev/null +++ b/version/version_test.go @@ -0,0 +1,261 @@ +package version + +import ( + "fmt" + "net/http" + "net/http/httptest" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestAIsNewerThanB(t *testing.T) { + tests := []struct { + A string + B string + Expect bool + }{ + {"2.0.0", "1.0.0", true}, + {"1.1.0", "1.0.0", true}, + {"1.0.1", "1.0.0", true}, + {"v2.0.0", "v1.0.0", true}, + {"v1.1.0", "v1.0.0", true}, + {"v1.0.1", "v1.0.0", true}, + {"v1.0.0", "v1.0.0", false}, + {"v0.9.0", "v1.0.0", false}, + {"1.0.0", "1.0.0-alpha", true}, + {"0.9.0", "1.0.0", true}, // Special case, 1.x is always considered newer. + } + + for _, test := range tests { + result, err := AIsNewerThanB(test.A, test.B) + if err != nil { + t.Errorf("Error for A=%s, B=%s: %s", test.A, test.B, err) + continue + } + if result != test.Expect { + t.Errorf("Mismatch for A=%s, B=%s: got %v, expected %v", test.A, test.B, result, test.Expect) + } + } +} + +func Test_releaseFetcher_LatestRelease(t *testing.T) { + tests := []struct { + name string + mockRedirect *mockServer + mockAPI *mockServer + wantTag string + wantURL string + wantErr bool + }{ + { + name: "RedirectSuccess", + mockRedirect: &mockServer{ + redirectChain: []int{http.StatusMovedPermanently, http.StatusMovedPermanently}, + statusCode: http.StatusFound, + header: http.Header{"Location": {"https://github.com/owner/repo/releases/tag/v2.0.0"}}, + }, + wantTag: "v2.0.0", + wantURL: "https://github.com/owner/repo/releases/tag/v2.0.0", + }, + { + name: "APIFallbackSuccess", + mockRedirect: &mockServer{ + statusCode: http.StatusNotFound, + }, + mockAPI: &mockServer{ + statusCode: http.StatusOK, + response: `{"tag_name": "v1.0.0", "html_url": "https://github.com/owner/repo/releases/tag/v1.0.0"}`, + }, + wantTag: "v1.0.0", + wantURL: "https://github.com/owner/repo/releases/tag/v1.0.0", + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + f := releaseFetcher{} + + var redirectServer *httptest.Server + if test.mockRedirect != nil { + redirectServer = test.mockRedirect.start() + defer redirectServer.Close() + f.endpoint = redirectServer.URL + } + + var apiServer *httptest.Server + if test.mockAPI != nil { + apiServer = test.mockAPI.start() + defer apiServer.Close() + f.apiEndpoint = apiServer.URL + } + + tag, url, err := f.LatestRelease("owner/repo") + if test.wantErr { + assert.Error(t, err, "Expected an error") + } else { + assert.NoError(t, err, "Unexpected error") + } + assert.Equal(t, test.wantTag, tag, "Incorrect release tag") + assert.Equal(t, test.wantURL, url, "Incorrect release URL") + }) + } +} + +func Test_releaseFetcher_LatestReleaseUsingRedirect(t *testing.T) { + tests := []struct { + name string + mockServer mockServer + wantTag string + wantURL string + wantErr bool + }{ + { + name: "Success", + mockServer: mockServer{ + // Include two redirects to ensure that the final redirect is used to determine the tag. + redirectChain: []int{http.StatusMovedPermanently, http.StatusMovedPermanently}, + statusCode: http.StatusFound, + header: http.Header{"Location": {"https://github.com/owner/repo/releases/tag/v1.0.0"}}, + }, + wantTag: "v1.0.0", + wantURL: "https://github.com/owner/repo/releases/tag/v1.0.0", + }, + { + name: "RedirectMissingLocation", + mockServer: mockServer{ + statusCode: http.StatusFound, + header: http.Header{}, + }, + wantErr: true, + }, + { + name: "UnexpectedStatusCode", + mockServer: mockServer{ + statusCode: http.StatusOK, + }, + wantErr: true, + }, + { + name: "TagNotFound", + mockServer: mockServer{ + statusCode: http.StatusFound, + header: http.Header{"Location": {"https://github.com/owner/repo/releases"}}, + }, + wantErr: true, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + server := test.mockServer.start() + defer server.Close() + + f := releaseFetcher{ + endpoint: server.URL, + } + tag, url, err := f.LatestReleaseUsingRedirect("owner/repo") + + if test.wantErr { + assert.Error(t, err, "Expected an error") + } else { + assert.NoError(t, err, "Unexpected error") + } + assert.Equal(t, test.wantTag, tag, "Incorrect release tag") + assert.Equal(t, test.wantURL, url, "Incorrect release URL") + }) + } +} + +func Test_releaseFetcher_LatestReleaseUsingAPI(t *testing.T) { + tests := []struct { + name string + mockServer mockServer + wantTag string + wantURL string + wantErr bool + }{ + { + name: "Success", + mockServer: mockServer{ + statusCode: http.StatusOK, + response: `{"tag_name": "v1.0.0", "html_url": "https://github.com/owner/repo/releases/tag/v1.0.0"}`, + }, + wantTag: "v1.0.0", + wantURL: "https://github.com/owner/repo/releases/tag/v1.0.0", + }, + { + name: "RequestError", + mockServer: mockServer{ + statusCode: http.StatusInternalServerError, + response: "", + }, + wantErr: true, + }, + { + name: "DecodeError", + mockServer: mockServer{ + statusCode: http.StatusOK, + response: `{"invalid_json":}`, + }, + wantErr: true, + }, + { + name: "NonOKStatusCode", + mockServer: mockServer{ + statusCode: http.StatusNotFound, + response: "", + }, + wantErr: true, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + server := test.mockServer.start() + defer server.Close() + + f := releaseFetcher{ + apiEndpoint: server.URL, + } + tag, url, err := f.LatestReleaseUsingAPI("owner/repo") + + if test.wantErr { + assert.Error(t, err, "Expected an error") + } else { + assert.NoError(t, err, "Unexpected error") + } + assert.Equal(t, test.wantTag, tag, "Incorrect release tag") + assert.Equal(t, test.wantURL, url, "Incorrect release URL") + }) + } +} + +type mockServer struct { + statusCode int + header http.Header + response string + redirectChain []int +} + +func (m *mockServer) start() *httptest.Server { + redirectIndex := 0 + + return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if redirectIndex < len(m.redirectChain) { + redirectStatusCode := m.redirectChain[redirectIndex] + redirectIndex++ + + w.Header().Set("Location", "/redirected") + w.WriteHeader(redirectStatusCode) + return + } + + for key, values := range m.header { + w.Header()[key] = values + } + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(m.statusCode) + fmt.Fprintln(w, m.response) + })) +} From 00b2e770157965ade65fbd2ed97e83343964ba71 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 17 Aug 2023 00:40:21 +0200 Subject: [PATCH 061/135] gcpkms: further deal with Google SDK deprecations xref: https://github.com/googleapis/google-cloud-go/blob/e535dc7c1d986c2ad6db3e8f5f2974935ee9ecda/migration.md Signed-off-by: Hidde Beydals --- gcpkms/keysource_test.go | 2 +- gcpkms/mock_kms_server_test.go | 7 +++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/gcpkms/keysource_test.go b/gcpkms/keysource_test.go index 2904eb34b..a37fb5b6e 100644 --- a/gcpkms/keysource_test.go +++ b/gcpkms/keysource_test.go @@ -7,8 +7,8 @@ import ( "testing" "time" + "cloud.google.com/go/kms/apiv1/kmspb" "github.com/stretchr/testify/assert" - kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1" "google.golang.org/grpc" ) diff --git a/gcpkms/mock_kms_server_test.go b/gcpkms/mock_kms_server_test.go index 91b474747..bd2f30d60 100644 --- a/gcpkms/mock_kms_server_test.go +++ b/gcpkms/mock_kms_server_test.go @@ -23,12 +23,11 @@ import ( "io" "strings" - kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1" - "google.golang.org/protobuf/proto" - "google.golang.org/protobuf/types/known/anypb" - + "cloud.google.com/go/kms/apiv1/kmspb" "google.golang.org/genproto/googleapis/rpc/status" "google.golang.org/grpc/metadata" + "google.golang.org/protobuf/proto" + "google.golang.org/protobuf/types/known/anypb" ) var _ = io.EOF From 2df62239c11276dfbd602d91325c2bac4cc9f077 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 17 Aug 2023 00:57:17 +0200 Subject: [PATCH 062/135] *: deal with various gRPC deprecations Signed-off-by: Hidde Beydals --- cmd/sops/main.go | 17 ++++++++++------- gcpkms/keysource_test.go | 3 ++- keyservice/server.go | 7 +++---- 3 files changed, 15 insertions(+), 12 deletions(-) diff --git a/cmd/sops/main.go b/cmd/sops/main.go index 9f7c5834b..6615d7b82 100644 --- a/cmd/sops/main.go +++ b/cmd/sops/main.go @@ -1,6 +1,7 @@ package main //import "github.com/getsops/sops/v3/cmd/sops" import ( + "context" encodingjson "encoding/json" "fmt" "net" @@ -11,10 +12,7 @@ import ( "reflect" "strconv" "strings" - "time" - "github.com/sirupsen/logrus" - "github.com/urfave/cli" "github.com/getsops/sops/v3" "github.com/getsops/sops/v3/aes" "github.com/getsops/sops/v3/age" @@ -38,7 +36,10 @@ import ( "github.com/getsops/sops/v3/stores/dotenv" "github.com/getsops/sops/v3/stores/json" "github.com/getsops/sops/v3/version" + "github.com/sirupsen/logrus" + "github.com/urfave/cli" "google.golang.org/grpc" + "google.golang.org/grpc/credentials/insecure" ) var log *logrus.Logger @@ -1031,10 +1032,12 @@ func keyservices(c *cli.Context) (svcs []keyservice.KeyServiceClient) { addr = url.Path } opts := []grpc.DialOption{ - grpc.WithInsecure(), - grpc.WithDialer(func(addr string, timeout time.Duration) (net.Conn, error) { - return net.DialTimeout(url.Scheme, addr, timeout) - }), + grpc.WithTransportCredentials(insecure.NewCredentials()), + grpc.WithContextDialer( + func(ctx context.Context, addr string) (net.Conn, error) { + return (&net.Dialer{}).DialContext(ctx, url.Scheme, addr) + }, + ), } log.WithField( "address", diff --git a/gcpkms/keysource_test.go b/gcpkms/keysource_test.go index a37fb5b6e..153bfb260 100644 --- a/gcpkms/keysource_test.go +++ b/gcpkms/keysource_test.go @@ -10,6 +10,7 @@ import ( "cloud.google.com/go/kms/apiv1/kmspb" "github.com/stretchr/testify/assert" "google.golang.org/grpc" + "google.golang.org/grpc/credentials/insecure" ) var ( @@ -158,7 +159,7 @@ func newGRPCServer(port string) *grpc.ClientConn { } go serv.Serve(lis) - conn, err := grpc.Dial(lis.Addr().String(), grpc.WithInsecure()) + conn, err := grpc.Dial(lis.Addr().String(), grpc.WithTransportCredentials(insecure.NewCredentials())) if err != nil { log.Fatal(err) } diff --git a/keyservice/server.go b/keyservice/server.go index 85829621a..9f2b486a6 100644 --- a/keyservice/server.go +++ b/keyservice/server.go @@ -10,7 +10,6 @@ import ( "github.com/getsops/sops/v3/kms" "github.com/getsops/sops/v3/pgp" "golang.org/x/net/context" - "google.golang.org/grpc" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" ) @@ -239,7 +238,7 @@ func (ks Server) prompt(key *Key, requestType string) error { } } if response == "n" { - return grpc.Errorf(codes.PermissionDenied, "Request rejected by user") + return status.Errorf(codes.PermissionDenied, "Request rejected by user") } return nil } @@ -300,9 +299,9 @@ func (ks Server) Decrypt(ctx context.Context, Plaintext: plaintext, } case nil: - return nil, grpc.Errorf(codes.NotFound, "Must provide a key") + return nil, status.Errorf(codes.NotFound, "Must provide a key") default: - return nil, grpc.Errorf(codes.NotFound, "Unknown key type") + return nil, status.Errorf(codes.NotFound, "Unknown key type") } if ks.Prompt { err := ks.prompt(key, "decrypt") From 46d3f5f77b751f65b90b4eef9e80aa91709a8a5e Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 17 Aug 2023 01:15:44 +0200 Subject: [PATCH 063/135] kms: use `BaseEndpoint` for testing This does the same, but with much less boilerplate. xref: https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/endpoints/#v2-endpointresolverv2--baseendpoint Signed-off-by: Hidde Beydals --- kms/keysource.go | 22 +++++++++++++--------- kms/keysource_test.go | 17 ++++------------- 2 files changed, 17 insertions(+), 22 deletions(-) diff --git a/kms/keysource.go b/kms/keysource.go index 09a26a326..47c369b36 100644 --- a/kms/keysource.go +++ b/kms/keysource.go @@ -70,11 +70,11 @@ type MasterKey struct { // using CredentialsProvider.ApplyToMasterKey. If nil, the default client is used // which utilizes runtime environmental values. credentialsProvider aws.CredentialsProvider - // epResolver can be used to override the endpoint the AWS client resolves + // baseEndpoint can be used to override the endpoint the AWS client resolves // to by default. This is mostly used for testing purposes as it can not be // injected using e.g. an environment variable. The field is not publicly // exposed, nor configurable. - epResolver aws.EndpointResolverWithOptions + baseEndpoint string } // NewMasterKey creates a new MasterKey from an ARN, role and context, setting @@ -197,7 +197,7 @@ func (key *MasterKey) Encrypt(dataKey []byte) error { log.WithField("arn", key.Arn).Error("Encryption failed") return err } - client := kms.NewFromConfig(*cfg) + client := key.createClient(cfg) input := &kms.EncryptInput{ KeyId: &key.Arn, Plaintext: dataKey, @@ -245,7 +245,7 @@ func (key *MasterKey) Decrypt() ([]byte, error) { log.WithField("arn", key.Arn).Error("Decryption failed") return nil, err } - client := kms.NewFromConfig(*cfg) + client := key.createClient(cfg) input := &kms.DecryptInput{ KeyId: &key.Arn, CiphertextBlob: k, @@ -309,11 +309,6 @@ func (key MasterKey) createKMSConfig() (*aws.Config, error) { lo.SharedConfigProfile = key.AwsProfile } lo.Region = region - - // Set the epResolver, if present. Used ONLY for tests. - if key.epResolver != nil { - lo.EndpointResolverWithOptions = key.epResolver - } return nil }) if err != nil { @@ -326,6 +321,15 @@ func (key MasterKey) createKMSConfig() (*aws.Config, error) { return &cfg, nil } +// createClient creates a new AWS KMS client with the provided config. +func (key MasterKey) createClient(config *aws.Config) *kms.Client { + return kms.NewFromConfig(*config, func(o *kms.Options) { + if key.baseEndpoint != "" { + o.BaseEndpoint = aws.String(key.baseEndpoint) + } + }) +} + // createSTSConfig uses AWS STS to assume a role and returns a config // configured with that role's credentials. It returns an error if // it fails to construct a session name, or assume the role. diff --git a/kms/keysource_test.go b/kms/keysource_test.go index f558197ea..81cd9bbd8 100644 --- a/kms/keysource_test.go +++ b/kms/keysource_test.go @@ -549,7 +549,7 @@ func createTestMasterKey(arn string) MasterKey { return MasterKey{ Arn: arn, credentialsProvider: credentials.NewStaticCredentialsProvider("id", "secret", ""), - epResolver: epResolver{}, + baseEndpoint: testKMSServerURL, } } @@ -560,16 +560,7 @@ func createTestKMSClient(key MasterKey) (*kms.Client, error) { if err != nil { return nil, err } - cfg.EndpointResolverWithOptions = epResolver{} - return kms.NewFromConfig(*cfg), nil -} - -// epResolver is a dummy resolver that points to the local test KMS server. -type epResolver struct{} - -// ResolveEndpoint always resolves to testKMSServerURL. -func (e epResolver) ResolveEndpoint(_, _ string, _ ...interface{}) (aws.Endpoint, error) { - return aws.Endpoint{ - URL: testKMSServerURL, - }, nil + return kms.NewFromConfig(*cfg, func(options *kms.Options) { + options.BaseEndpoint = aws.String(testKMSServerURL) + }), nil } From 0634019a84b0b514b9f6e7ca4d9f99109920dfbc Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 17 Aug 2023 01:21:25 +0200 Subject: [PATCH 064/135] *: `strings.Title` deprecation Replace with simple manual construction of upper boolean representation, as the (construction of the) `golang.org/x/text/cases` replacement is way too complex for this use case. Signed-off-by: Hidde Beydals --- aes/cipher.go | 9 ++++++--- sops.go | 8 ++++++-- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/aes/cipher.go b/aes/cipher.go index d4ad74add..291f2fedf 100644 --- a/aes/cipher.go +++ b/aes/cipher.go @@ -11,11 +11,10 @@ import ( "fmt" "regexp" "strconv" - "strings" - "github.com/sirupsen/logrus" "github.com/getsops/sops/v3" "github.com/getsops/sops/v3/logging" + "github.com/sirupsen/logrus" ) var log *logrus.Logger @@ -172,7 +171,11 @@ func (c Cipher) Encrypt(plaintext interface{}, key []byte, additionalData string case bool: encryptedType = "bool" // The Python version encodes booleans with Titlecase - plainBytes = []byte(strings.Title(strconv.FormatBool(value))) + if value { + plainBytes = []byte("True") + } else { + plainBytes = []byte("False") + } case sops.Comment: encryptedType = "comment" plainBytes = []byte(value.Value) diff --git a/sops.go b/sops.go index daebb2352..6371bcb8c 100644 --- a/sops.go +++ b/sops.go @@ -46,12 +46,12 @@ import ( "strings" "time" - "github.com/sirupsen/logrus" "github.com/getsops/sops/v3/audit" "github.com/getsops/sops/v3/keys" "github.com/getsops/sops/v3/keyservice" "github.com/getsops/sops/v3/logging" "github.com/getsops/sops/v3/shamir" + "github.com/sirupsen/logrus" "golang.org/x/net/context" ) @@ -734,7 +734,11 @@ func ToBytes(in interface{}) ([]byte, error) { case float64: return []byte(strconv.FormatFloat(in, 'f', -1, 64)), nil case bool: - return []byte(strings.Title(strconv.FormatBool(in))), nil + boolB := []byte("True") + if !in { + boolB = []byte("False") + } + return boolB, nil case []byte: return in, nil case Comment: From 212e0ab926d8494f88fa55f34b209a35fd5ccb40 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Wed, 23 Aug 2023 23:49:29 +0200 Subject: [PATCH 065/135] cmd/edit: close temp file before invoking editor This changes the logic of the edit target to close the temporary file before it is opened by the user their editor. This works around an issue on Windows where editors are unable to open the file because the Go standard library opens file handles with only shared read and write access (excluding deletion access, which is required by some). Signed-off-by: Hidde Beydals --- cmd/sops/edit.go | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/cmd/sops/edit.go b/cmd/sops/edit.go index 730d99214..ee196e35b 100644 --- a/cmd/sops/edit.go +++ b/cmd/sops/edit.go @@ -40,7 +40,7 @@ type editExampleOpts struct { } type runEditorUntilOkOpts struct { - TmpFile *os.File + TmpFileName string OriginalHash []byte InputStore sops.Store ShowMasterKeys bool @@ -115,6 +115,10 @@ func editTree(opts editOpts, tree *sops.Tree, dataKey []byte) ([]byte, error) { if err != nil { return nil, common.NewExitError(fmt.Sprintf("Could not create temporary file: %s", err), codes.CouldNotWriteOutputFile) } + // Ensure that in any case, the temporary file is always closed. + defer tmpfile.Close() + + tmpfileName := tmpfile.Name() // Write to temporary file var out []byte @@ -131,18 +135,23 @@ func editTree(opts editOpts, tree *sops.Tree, dataKey []byte) ([]byte, error) { return nil, common.NewExitError(fmt.Sprintf("Could not write output file: %s", err), codes.CouldNotWriteOutputFile) } - // Close temporary file, since Windows won't delete the file unless it's closed beforehand - defer tmpfile.Close() - // Compute file hash to detect if the file has been edited - origHash, err := hashFile(tmpfile.Name()) + origHash, err := hashFile(tmpfileName) if err != nil { return nil, common.NewExitError(fmt.Sprintf("Could not hash file: %s", err), codes.CouldNotReadInputFile) } + // Close the temporary file, so that an editor can open it. + // We need to do this because some editors (e.g. VSCode) will refuse to + // open a file on Windows due to the Go standard library not opening + // files with shared delete access. + if err := tmpfile.Close(); err != nil { + return nil, err + } + // Let the user edit the file err = runEditorUntilOk(runEditorUntilOkOpts{ - InputStore: opts.InputStore, OriginalHash: origHash, TmpFile: tmpfile, + InputStore: opts.InputStore, OriginalHash: origHash, TmpFileName: tmpfileName, ShowMasterKeys: opts.ShowMasterKeys, Tree: tree}) if err != nil { return nil, err @@ -166,18 +175,18 @@ func editTree(opts editOpts, tree *sops.Tree, dataKey []byte) ([]byte, error) { func runEditorUntilOk(opts runEditorUntilOkOpts) error { for { - err := runEditor(opts.TmpFile.Name()) + err := runEditor(opts.TmpFileName) if err != nil { return common.NewExitError(fmt.Sprintf("Could not run editor: %s", err), codes.NoEditorFound) } - newHash, err := hashFile(opts.TmpFile.Name()) + newHash, err := hashFile(opts.TmpFileName) if err != nil { return common.NewExitError(fmt.Sprintf("Could not hash file: %s", err), codes.CouldNotReadInputFile) } if bytes.Equal(newHash, opts.OriginalHash) { return common.NewExitError("File has not changed, exiting.", codes.FileHasNotBeenModified) } - edited, err := os.ReadFile(opts.TmpFile.Name()) + edited, err := os.ReadFile(opts.TmpFileName) if err != nil { return common.NewExitError(fmt.Sprintf("Could not read edited file: %s", err), codes.CouldNotReadInputFile) } From efacb09245ff44d3533bde1ff26c93d58bba1990 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Wed, 23 Aug 2023 23:53:14 +0200 Subject: [PATCH 066/135] cmd/edit: switch from MD5 to SHA-256 for checksum More 2023 alike :-) This change is fully backwards compatible, as the checksum is only used to make a comparison before and after the file has been opened by the editor. Signed-off-by: Hidde Beydals --- cmd/sops/edit.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/sops/edit.go b/cmd/sops/edit.go index ee196e35b..4ac92e487 100644 --- a/cmd/sops/edit.go +++ b/cmd/sops/edit.go @@ -3,7 +3,7 @@ package main import ( "bufio" "bytes" - "crypto/md5" + "crypto/sha256" "fmt" "io" "os" @@ -245,7 +245,7 @@ func hashFile(filePath string) ([]byte, error) { return result, err } defer file.Close() - hash := md5.New() + hash := sha256.New() if _, err := io.Copy(hash, file); err != nil { return result, err } From e429336f55bd8f22b4d980d883ab7c8859daf548 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 24 Aug 2023 13:45:32 +0200 Subject: [PATCH 067/135] build: ensure clean working tree This catches `go.*` files being out-of-sync. Signed-off-by: Hidde Beydals --- .github/workflows/cli.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml index 15f208b69..40c3227f0 100644 --- a/.github/workflows/cli.yml +++ b/.github/workflows/cli.yml @@ -39,6 +39,10 @@ jobs: key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- + - name: Vendor Go Modules + run: make vendor + - name: Ensure clean working tree + run: git diff --exit-code - name: Build Linux and Darwin if: matrix.os != 'windows' run: GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} go build -o sops-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} -v ./cmd/sops From d389b32648ea71f0ce675a2de56827758dddcbbb Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 24 Aug 2023 13:47:42 +0200 Subject: [PATCH 068/135] build: address out-of-sync `go.mod` Signed-off-by: Hidde Beydals --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 2e5ab453f..7425011b3 100644 --- a/go.mod +++ b/go.mod @@ -38,7 +38,6 @@ require ( golang.org/x/sys v0.11.0 golang.org/x/term v0.11.0 google.golang.org/api v0.138.0 - google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d google.golang.org/grpc v1.57.0 google.golang.org/protobuf v1.31.0 @@ -125,6 +124,7 @@ require ( golang.org/x/tools v0.7.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect google.golang.org/appengine v1.6.7 // indirect + google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d // indirect google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5 // indirect gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect From 6bb00f942c5ce6b7f4fd445fff7840fbef379113 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 24 Aug 2023 13:49:26 +0200 Subject: [PATCH 069/135] build: remove obsolete step & improve readability Signed-off-by: Hidde Beydals --- .github/workflows/cli.yml | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml index 40c3227f0..5e548f369 100644 --- a/.github/workflows/cli.yml +++ b/.github/workflows/cli.yml @@ -24,41 +24,49 @@ jobs: VAULT_TOKEN: "root" VAULT_ADDR: "http://127.0.0.1:8200" steps: - - name: Install dependencies - run: sudo apt-get update && sudo apt-get install git -y - name: Set up Go 1.20 uses: actions/setup-go@v3 with: go-version: '1.20' id: go + - name: Check out code into the Go module directory uses: actions/checkout@v3 + - uses: actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- + - name: Vendor Go Modules run: make vendor + - name: Ensure clean working tree run: git diff --exit-code + - name: Build Linux and Darwin if: matrix.os != 'windows' run: GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} go build -o sops-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} -v ./cmd/sops + - name: Build Windows if: matrix.os == 'windows' run: GOOS=${{ matrix.os }} go build -o sops-${{ matrix.os }}-${{ github.sha }} -v ./cmd/sops + - name: Import test GPG keys run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done + - name: Test run: make test + - name: Upload artifact for Linux and Darwin if: matrix.os != 'windows' uses: actions/upload-artifact@v3 with: name: sops-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} path: sops-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} + - name: Upload artifact for Windows if: matrix.os == 'windows' uses: actions/upload-artifact@v3 @@ -76,23 +84,32 @@ jobs: steps: - name: Install rustup run: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s -- -y --default-toolchain 1.70.0 + - name: Check out code uses: actions/checkout@v3 + - uses: actions/download-artifact@v3 with: name: sops-linux-amd64-${{ github.sha }} + - name: Move SOPS binary run: mv sops-linux-amd64-${{ github.sha }} ./functional-tests/sops + - name: Make SOPS binary executable run: chmod +x ./functional-tests/sops + - name: Download Vault run: curl -O "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip" && sudo unzip vault_${VAULT_VERSION}_linux_amd64.zip -d /usr/local/bin/ + - name: Start Vault server run: vault server -dev -dev-root-token-id="$VAULT_TOKEN" & + - name: Enable Vault KV run: vault secrets enable -version=1 kv + - name: Import test GPG keys run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done + - name: Run tests run: cargo test working-directory: ./functional-tests From e9946be0d5ac0eee1ac9b079e058d4114fc11b9a Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Fri, 25 Aug 2023 12:27:01 +0200 Subject: [PATCH 070/135] Fix formatting Change MarkDown-style formatting to proper RST formatting. Signed-off-by: Felix Fontein --- CHANGELOG.rst | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index db6d8eda2..7a654303a 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -8,7 +8,7 @@ Changes: * Upgrade dependencies (#1024, #1045) * Build alpine container in CI (#1018, #1032, #1025) * keyservice: accept KeyServiceServer in LocalClient (#1035) -* Add support for GCP Service Account within `GOOGLE_CREDENTIALS` (#953) +* Add support for GCP Service Account within ``GOOGLE_CREDENTIALS`` (#953) Bug fixes: @@ -81,8 +81,8 @@ Bug fixes: Features: * Support for encrypting data through the use of Hashicorp Vault (#655) -* `sops publish` now supports `--recursive` flag for publishing all files in a directory (#602) -* `sops publish` now supports `--omit-extensions` flag for omitting the extension in the destination path (#602) +* ``sops publish`` now supports ``--recursive`` flag for publishing all files in a directory (#602) +* ``sops publish`` now supports ``--omit-extensions`` flag for omitting the extension in the destination path (#602) * sops now supports JSON arrays of arrays (#642) Improvements: @@ -92,9 +92,9 @@ Improvements: Bug fixes: -* AWS SDK usage now correctly resolves the `~/.aws/config` file (#680) -* `sops updatekeys` now correctly matches config rules (#682) -* `sops updatekeys` now correctly uses the config path cli flag (#672) +* AWS SDK usage now correctly resolves the ``~/.aws/config`` file (#680) +* ``sops updatekeys`` now correctly matches config rules (#682) +* ``sops updatekeys`` now correctly uses the config path cli flag (#672) * Partially empty sops config files don't break the use of sops anymore (#662) * Fix possible infinite loop in PGP's passphrase prompt call (#690) @@ -111,35 +111,35 @@ Project changes: ----- Features: -* `sops exec-env` and `sops exec-file`, two new commands for utilizing sops secrets within a temporary file or env vars +* ``sops exec-env`` and ``sops exec-file``, two new commands for utilizing sops secrets within a temporary file or env vars Bug fixes: * Sanitize AWS STS session name, as sops creates it based off of the machines hostname -* Fix for `decrypt.Data` to support `.ini` files +* Fix for ``decrypt.Data`` to support ``.ini`` files * Various package fixes related to switching to Go Modules * Fixes for Vault-related tests running locally and in CI. Project changes: -* Change to proper use of go modules, changing to primary module name to `go.mozilla.org/sops/v3` -* Change tags to requiring a `v` prefix. -* Add documentation for `sops updatekeys` command +* Change to proper use of go modules, changing to primary module name to ``go.mozilla.org/sops/v3`` +* Change tags to requiring a ``v`` prefix. +* Add documentation for ``sops updatekeys`` command 3.4.0 ----- Features: -* `sops publish`, a new command for publishing sops encrypted secrets to S3, GCS, or Hashicorp Vault +* ``sops publish``, a new command for publishing sops encrypted secrets to S3, GCS, or Hashicorp Vault * Support for multiple Azure authentication mechanisms * Azure Keyvault support to the sops config file -* `encrypted_regex` option to the sops config file +* ``encrypted_regex`` option to the sops config file Bug fixes: * Return non-zero exit code for invalid CLI flags * Broken path handling for sops editing on Windows -* `go lint/fmt` violations +* ``go lint/fmt`` violations * Check for pgp fingerprint before slicing it Project changes: @@ -157,12 +157,12 @@ Bug fixes: * Make sure the pgp key fingerprint is longer than 16 characters before slicing it. (#463) -* Allow for `--set` value to be a string. (#461) +* Allow for ``--set`` value to be a string. (#461) Project changes: -* Using `develop` as a staging branch to create releases off of. What - is in `master` is now the current stable release. +* Using ``develop`` as a staging branch to create releases off of. What + is in ``master`` is now the current stable release. * Upgrade to using Go 1.12 to build sops * Updated all vendored packages @@ -270,11 +270,11 @@ Project infrastructure changes: ----- * Shamir secret sharing scheme support allows SOPS to require multiple master - keys to access a data key and decrypt a file. See `sops groups -help` and the + keys to access a data key and decrypt a file. See ``sops groups -help`` and the documentation in README. * Keyservice to forward access to a local master key on a socket, similar to - gpg-agent. See `sops keyservice --help` and the documentation in README. + gpg-agent. See ``sops keyservice --help`` and the documentation in README. * Encrypt comments by default From bd965c07012fc082485daea50545053f13825ad6 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 24 Aug 2023 19:49:02 +0200 Subject: [PATCH 071/135] Prepare v3.8.0-rc.1 Signed-off-by: Hidde Beydals --- CHANGELOG.rst | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 7a654303a..5cf264db3 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,51 @@ Changelog ========= +3.8.0-rc.1 +---------- +Features: + +* Support ``--version`` without network requests using ``--disable-version-check`` (#1115) +* Support ``--input-type`` for updatekeys command (#1116) + +Improvements: + +* pgp: modernize and improve, and add tests (#1054) +* azkv: update SDK to latest, add tests, tidy (#1067, #1092, #1256) +* age: improve identity loading, add tests, tidy (#1064) +* kms: AWS SDK V2, allow creds config, add tests (#1065, #1257) +* gcpkms: update SDK to latest, add tests, tidy (#1072, #1255) +* hcvault: update API, add tests, tidy (#1085) +* Do not report version when upstream ``--version`` check fails (#1124) +* Use GitHub endpoints in ``--version`` command (#1261) +* Close temporary file before invoking editor to widen support on Windows (#1265) +* Update dependencies (#1063, #1091, #1147, #1242, #1260, #1264) +* Deal with various deprecations of dependencies (#1113, #1262) + +Bug fixes: + +* Ensure YAML comments are not displaced (#1069) +* Ensure default Google credentials can be used again after introduction of ``GOOGLE_CREDENTIALS`` (#1249) +* Avoid duplicate logging of errors in some key sources (#1146) +* Using `--set` on a root level key does no longer truncate existing values (#899) +* Ensure stable order of SOPS parameters in dotenv file (#1101) + +Project changes: + +* Update Go to 1.20 (#1148) +* Update rustc functional tests to v1.70.0 (#1234) +* Remove remaining CircleCI workflow (#1237) +* Run CLI workflow on main (#1243) +* Delete obsolete ``validation/`` artifact (#1248) +* Rename Go module to ``github.com/getsops/sops/v3`` (#1247) +* Revamp release automation, including (Cosign) signed container images and checksums file, SLSA3 provenance and SBOMs (#1250) +* Update various bits of documentation (#1244) +* Add missing ``--encrypt`` flag from Vault example (#1060) +* Add documentation on how to use age in ``.sops.yaml`` (#1192) +* Improve Make targets and address various issues (#1258) +* Ensure clean working tree in CI (#1267) +* Fix CHANGELOG.rst formatting (#1269) + 3.7.3 ----- Changes: From b9a8076bac92b5b4c829a69e54ee71d1ad8e5ce9 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Mon, 11 Sep 2023 22:42:11 +0200 Subject: [PATCH 072/135] chore: update dependencies - cloud.google.com/go/storage to v1.33.0 - github.com/Azure/azure-sdk-for-go/sdk/azcore to v1.7.2 - github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys to v1.0.1 - github.com/ProtonMail/go-crypto to v0.0.0-20230828082145-3c4c8a2d2371 - github.com/aws/aws-sdk-go-v2/config to v1.18.39 - github.com/aws/aws-sdk-go-v2/credentials to v1.13.37 - github.com/aws/aws-sdk-go-v2/feature/s3/manager to v1.11.83 - github.com/hashicorp/vault/api to v1.10.0 - golang.org/x/net to v0.15.0 - golang.org/x/sys to v0.12.0 - golang.org/x/term to v0.12.0 - google.golang.org/api to v0.139.0 - google.golang.org/genproto/googleapis/rpc to v0.0.0-20230911183012-2d3300fd4832 - google.golang.org/grpc to v1.58.0 Signed-off-by: Hidde Beydals --- go.mod | 40 ++++++++++---------- go.sum | 113 ++++++++++++++++++++------------------------------------- 2 files changed, 60 insertions(+), 93 deletions(-) diff --git a/go.mod b/go.mod index 7425011b3..62e5cffc2 100644 --- a/go.mod +++ b/go.mod @@ -4,16 +4,16 @@ go 1.19 require ( cloud.google.com/go/kms v1.15.1 - cloud.google.com/go/storage v1.32.0 + cloud.google.com/go/storage v1.33.0 filippo.io/age v1.1.1 - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1 + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.2 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 - github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.0 - github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95 + github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1 + github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 github.com/aws/aws-sdk-go-v2 v1.21.0 - github.com/aws/aws-sdk-go-v2/config v1.18.36 - github.com/aws/aws-sdk-go-v2/credentials v1.13.35 - github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.80 + github.com/aws/aws-sdk-go-v2/config v1.18.39 + github.com/aws/aws-sdk-go-v2/credentials v1.13.37 + github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.83 github.com/aws/aws-sdk-go-v2/service/kms v1.24.5 github.com/aws/aws-sdk-go-v2/service/s3 v1.38.5 github.com/aws/aws-sdk-go-v2/service/sts v1.21.5 @@ -25,7 +25,7 @@ require ( github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 github.com/goware/prefixer v0.0.0-20160118172347-395022866408 github.com/hashicorp/go-cleanhttp v0.5.2 - github.com/hashicorp/vault/api v1.9.2 + github.com/hashicorp/vault/api v1.10.0 github.com/lib/pq v1.10.9 github.com/mitchellh/go-homedir v1.1.0 github.com/mitchellh/go-wordwrap v1.0.1 @@ -34,12 +34,12 @@ require ( github.com/sirupsen/logrus v1.9.3 github.com/stretchr/testify v1.8.4 github.com/urfave/cli v1.22.14 - golang.org/x/net v0.14.0 - golang.org/x/sys v0.11.0 - golang.org/x/term v0.11.0 - google.golang.org/api v0.138.0 - google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d - google.golang.org/grpc v1.57.0 + golang.org/x/net v0.15.0 + golang.org/x/sys v0.12.0 + golang.org/x/term v0.12.0 + google.golang.org/api v0.139.0 + google.golang.org/genproto/googleapis/rpc v0.0.0-20230911183012-2d3300fd4832 + google.golang.org/grpc v1.58.0 google.golang.org/protobuf v1.31.0 gopkg.in/ini.v1 v1.67.0 gopkg.in/yaml.v3 v3.0.1 @@ -51,7 +51,7 @@ require ( cloud.google.com/go/compute/metadata v0.2.3 // indirect cloud.google.com/go/iam v1.1.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect - github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 // indirect github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect github.com/Microsoft/go-winio v0.6.0 // indirect @@ -66,8 +66,8 @@ require ( github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.36 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35 // indirect github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.4 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.13.5 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.5 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.13.6 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.6 // indirect github.com/aws/smithy-go v1.14.2 // indirect github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/cenkalti/backoff/v4 v4.1.3 // indirect @@ -83,7 +83,7 @@ require ( github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v5 v5.0.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/google/s2a-go v0.1.5 // indirect + github.com/google/s2a-go v0.1.7 // indirect github.com/google/uuid v1.3.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect github.com/googleapis/gax-go/v2 v2.12.0 // indirect @@ -115,11 +115,11 @@ require ( github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect go.opencensus.io v0.24.0 // indirect - golang.org/x/crypto v0.12.0 // indirect + golang.org/x/crypto v0.13.0 // indirect golang.org/x/mod v0.9.0 // indirect golang.org/x/oauth2 v0.11.0 // indirect golang.org/x/sync v0.3.0 // indirect - golang.org/x/text v0.12.0 // indirect + golang.org/x/text v0.13.0 // indirect golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect golang.org/x/tools v0.7.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect diff --git a/go.sum b/go.sum index 0d501bddf..10a84ccab 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,4 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.110.7 h1:rJyC7nWRg2jWGZ4wSJ5nY65GTdYJkg0cd/uXb+ACI6o= cloud.google.com/go v0.110.7/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI= cloud.google.com/go/compute v1.23.0 h1:tP41Zoavr8ptEqaW6j+LQOnyBBhO7OkOMAGrgLopTwY= @@ -10,20 +9,20 @@ cloud.google.com/go/iam v1.1.1 h1:lW7fzj15aVIXYHREOqjRBV9PsH0Z6u8Y46a1YGvQP4Y= cloud.google.com/go/iam v1.1.1/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU= cloud.google.com/go/kms v1.15.1 h1:HUC3fAoepH3RpcQXiJhXWWYizjQ5r7YjI7SO9ZbHf9s= cloud.google.com/go/kms v1.15.1/go.mod h1:c9J991h5DTl+kg7gi3MYomh12YEENGrf48ee/N/2CDM= -cloud.google.com/go/storage v1.32.0 h1:5w6DxEGOnktmJHarxAOUywxVW9lbNWIzlzzUltG/3+o= -cloud.google.com/go/storage v1.32.0/go.mod h1:Hhh/dogNRGca7IWv1RC2YqEn0c0G77ctA/OxflYkiD8= +cloud.google.com/go/storage v1.33.0 h1:PVrDOkIC8qQVa1P3SXGpQvfuJhN2LHOoyZvWs8D2X5M= +cloud.google.com/go/storage v1.33.0/go.mod h1:Hhh/dogNRGca7IWv1RC2YqEn0c0G77ctA/OxflYkiD8= filippo.io/age v1.1.1 h1:pIpO7l151hCnQ4BdyBujnGP2YlUo0uj6sAVNHGBvXHg= filippo.io/age v1.1.1/go.mod h1:l03SrzDUrBkdBx8+IILdnn2KZysqQdbEBUQ4p3sqEQE= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1 h1:/iHxaJhsFr0+xVFfbMr5vxz848jyiWuIEDhYq3y5odY= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.2 h1:t5+QXLCK9SVi0PPdaY0PrFvYUo24KwA0QwxnaHRSVd4= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.2/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 h1:LNHhpdK7hzUcx/k1LIcuh5k7k1LGIWLQfCjaneSj7Fc= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1/go.mod h1:uE9zaUfEQT/nbQjVi2IblCG9iaLtZsuYZ8ne+PuQ02M= github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY= github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.0 h1:yfJe15aSwEQ6Oo6J+gdfdulPNoZ3TEhmbhLIoxZcA+U= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.0/go.mod h1:Q28U+75mpCaSCDowNEmhIo/rmgdkqmkmzI7N6TGR4UY= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0 h1:T028gtTPiYt/RMUfs8nVsAL7FDQrfLlrm/NnRG/zcC4= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0/go.mod h1:cw4zVQgBby0Z5f2v0itn6se2dDP17nTjbZFXW5uPyHA= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1 h1:MyVTgWR8qd/Jw1Le0NZebGBUCLbtak3bJ3z1OlqZBpw= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1/go.mod h1:GpPjLhVR9dnUoJMyHWSPy71xY9/lcmpzIPZXmF0FCVY= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 h1:D3occbWoio4EBLkbkevetNMAVX197GkzbUMtqjGWn80= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0/go.mod h1:bTSOgj05NGRuHHhQwAdPnYr9TOdNmKlZTgGLL6nyAdI= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 h1:WpB/QDNLpMw72xHJc34BNNykqSOeEJDAWkhf0u12/Jk= @@ -34,22 +33,21 @@ github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2y github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE= github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw= github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk= -github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95 h1:KLq8BE0KwCL+mmXnjLWEAOYO+2l2AE4YMmqG1ZpZHBs= -github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= -github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= +github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg= +github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/aws/aws-sdk-go-v2 v1.21.0 h1:gMT0IW+03wtYJhRqTVYn0wLzwdnK9sRMcxmtfGzRdJc= github.com/aws/aws-sdk-go-v2 v1.21.0/go.mod h1:/RfNgGmRxI+iFOB1OeJUyxiU+9s88k3pfHvDagGEp0M= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.13 h1:OPLEkmhXf6xFPiz0bLeDArZIDx1NNS4oJyG4nv3Gct0= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.13/go.mod h1:gpAbvyDGQFozTEmlTFO8XcQKHzubdq0LzRyJpG6MiXM= -github.com/aws/aws-sdk-go-v2/config v1.18.36 h1:mLNA12PWU1Y+ueOO79QgQfKIPhc1MYKl44RmvASkJ7Q= -github.com/aws/aws-sdk-go-v2/config v1.18.36/go.mod h1:8AnEFxW9/XGKCbjYDCJy7iltVNyEI9Iu9qC21UzhhgQ= -github.com/aws/aws-sdk-go-v2/credentials v1.13.35 h1:QpsNitYJu0GgvMBLUIYu9H4yryA5kMksjeIVQfgXrt8= -github.com/aws/aws-sdk-go-v2/credentials v1.13.35/go.mod h1:o7rCaLtvK0hUggAGclf76mNGGkaG5a9KWlp+d9IpcV8= +github.com/aws/aws-sdk-go-v2/config v1.18.39 h1:oPVyh6fuu/u4OiW4qcuQyEtk7U7uuNBmHmJSLg1AJsQ= +github.com/aws/aws-sdk-go-v2/config v1.18.39/go.mod h1:+NH/ZigdPckFpgB1TRcRuWCB/Kbbvkxc/iNAKTq5RhE= +github.com/aws/aws-sdk-go-v2/credentials v1.13.37 h1:BvEdm09+ZEh2XtN+PVHPcYwKY3wIeB6pw7vPRM4M9/U= +github.com/aws/aws-sdk-go-v2/credentials v1.13.37/go.mod h1:ACLrdkd4CLZyXOghZ8IYumQbcooAcp2jo/s2xsFH8IM= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11 h1:uDZJF1hu0EVT/4bogChk8DyjSF6fof6uL/0Y26Ma7Fg= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11/go.mod h1:TEPP4tENqBGO99KwVpV9MlOX4NSrSLP8u3KRy2CDwA8= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.80 h1:UrlTIXE+X+u/680ZIPkuM5QYg1D5+bWjlOGlOfHCptU= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.80/go.mod h1:57ALQch4qLc5kVWTHloB61HfmMc8ZlAgia3xEO2Bolc= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.83 h1:wcluDLIQ0uYaxv0fCWQRimbXkPdTgWHUD21j1CzXEwc= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.83/go.mod h1:nGCBuon134gW67yAtxHKV73x+tAcY/xG4ZPNPDB1h/I= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41 h1:22dGT7PneFMx4+b3pz7lMTRyN8ZKH7M2cW4GP9yUS2g= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41/go.mod h1:CrObHAuPneJBlfEJ5T3szXOUkLEThaGfvnhTf33buas= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35 h1:SijA0mgjV8E+8G45ltVHs0fvKpTj8xmZJ3VwhGKtUSI= @@ -70,10 +68,10 @@ github.com/aws/aws-sdk-go-v2/service/kms v1.24.5 h1:VNEw+EdYDUdkICYAVQ6n9WoAq8Zu github.com/aws/aws-sdk-go-v2/service/kms v1.24.5/go.mod h1:NZEhPgq+vvmM6L9w+xl78Vf7YxqUcpVULqFdrUhHg8I= github.com/aws/aws-sdk-go-v2/service/s3 v1.38.5 h1:A42xdtStObqy7NGvzZKpnyNXvoOmm+FENobZ0/ssHWk= github.com/aws/aws-sdk-go-v2/service/s3 v1.38.5/go.mod h1:rDGMZA7f4pbmTtPOk5v5UM2lmX6UAbRnMDJeDvnH7AM= -github.com/aws/aws-sdk-go-v2/service/sso v1.13.5 h1:oCvTFSDi67AX0pOX3PuPdGFewvLRU2zzFSrTsgURNo0= -github.com/aws/aws-sdk-go-v2/service/sso v1.13.5/go.mod h1:fIAwKQKBFu90pBxx07BFOMJLpRUGu8VOzLJakeY+0K4= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.5 h1:dnInJb4S0oy8aQuri1mV6ipLlnZPfnsDNB9BGO9PDNY= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.5/go.mod h1:yygr8ACQRY2PrEcy3xsUI357stq2AxnFM6DIsR9lij4= +github.com/aws/aws-sdk-go-v2/service/sso v1.13.6 h1:2PylFCfKCEDv6PeSN09pC/VUiRd10wi1VfHG5FrW0/g= +github.com/aws/aws-sdk-go-v2/service/sso v1.13.6/go.mod h1:fIAwKQKBFu90pBxx07BFOMJLpRUGu8VOzLJakeY+0K4= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.6 h1:pSB560BbVj9ZlJZF4WYj5zsytWHWKxg+NgyGV4B2L58= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.6/go.mod h1:yygr8ACQRY2PrEcy3xsUI357stq2AxnFM6DIsR9lij4= github.com/aws/aws-sdk-go-v2/service/sts v1.21.5 h1:CQBFElb0LS8RojMJlxRSo/HXipvTZW2S44Lt9Mk2aYQ= github.com/aws/aws-sdk-go-v2/service/sts v1.21.5/go.mod h1:VC7JDqsqiwXukYEDjoHh9U0fOJtNWh04FPQz4ct4GGU= github.com/aws/smithy-go v1.14.2 h1:MJU9hqBGbvWZdApzpvoF2WAIJDbtjK2NDJSiJP7HblQ= @@ -87,18 +85,12 @@ github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4r github.com/cenkalti/backoff/v4 v4.1.3 h1:cFAlzYUlVYDysBEH2T5hyJZMh3+5+WCBvSnK6Q8UtC4= github.com/cenkalti/backoff/v4 v4.1.3/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E= github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs= github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= -github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= -github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U= github.com/containerd/continuity v0.3.0 h1:nisirsYROK15TAMVukJOUyGJjz4BNQJBVsNvAXZJ/eg= github.com/containerd/continuity v0.3.0/go.mod h1:wJEAIwKOm/pBZuBd0JmeTvnLquTB1Ag8espWhkykbPM= @@ -125,8 +117,6 @@ github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDD github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= -github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= -github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= @@ -135,7 +125,6 @@ github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBD github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= github.com/getsops/gopgagent v0.0.0-20170926210634-4d7ea76ff71a h1:qc+7TV35Pq/FlgqECyS5ywq8cSN9j1fwZg6uyZ7G0B0= github.com/getsops/gopgagent v0.0.0-20170926210634-4d7ea76ff71a/go.mod h1:awFzISqLJoZLm+i9QQ4SgMNHDqljH6jWV0B36V5MrUM= -github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo= github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE= @@ -154,17 +143,14 @@ github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfb github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= -github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -179,8 +165,8 @@ github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw= -github.com/google/s2a-go v0.1.5 h1:8IYp3w9nysqv3JH+NJgXJzGbDHzLOTj43BmSkp+O7qg= -github.com/google/s2a-go v0.1.5/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= +github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o= +github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -192,7 +178,6 @@ github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56 github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU= github.com/goware/prefixer v0.0.0-20160118172347-395022866408 h1:Y9iQJfEqnN3/Nce9cOegemcy/9Ai5k3huT6E80F3zaw= github.com/goware/prefixer v0.0.0-20160118172347-395022866408/go.mod h1:PE1ycukgRPJ7bJ9a1fdfQ9j8i/cEcRAoLZzbxYpNB/s= -github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -218,8 +203,8 @@ github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0S github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= -github.com/hashicorp/vault/api v1.9.2 h1:YjkZLJ7K3inKgMZ0wzCU9OHqc+UqMQyXsPXnf3Cl2as= -github.com/hashicorp/vault/api v1.9.2/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8= +github.com/hashicorp/vault/api v1.10.0 h1:/US7sIjWN6Imp4o/Rj1Ce2Nr5bki/AXi9vAW3p2tOJQ= +github.com/hashicorp/vault/api v1.10.0/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8= github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU= github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= @@ -281,7 +266,6 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= @@ -299,7 +283,6 @@ github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSS github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= @@ -325,17 +308,15 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= -golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk= -golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= +golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck= +golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= @@ -348,32 +329,27 @@ golang.org/x/mod v0.9.0 h1:KENHtAZL2y3NLMYZeHY9DW8HW8V+kQyJsY/V9JlKvCs= golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= -golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14= -golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= +golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8= +golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU= golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -390,12 +366,10 @@ golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -412,26 +386,24 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM= -golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o= +golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= -golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0= -golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU= +golang.org/x/term v0.12.0 h1:/ZfYdc3zq+q02Rv9vGqTeSItdzZTSNDmfTi0mBAuidU= +golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc= -golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.0.0-20220609170525-579cf78fd858 h1:Dpdu/EMxGMFgq0CeYMh4fazTD2vtlZRYE7wyynxJb9U= golang.org/x/time v0.0.0-20220609170525-579cf78fd858/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -453,32 +425,28 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -google.golang.org/api v0.138.0 h1:K/tVp05MxNVbHShRw9m7e9VJGdagNeTdMzqPH7AUqr0= -google.golang.org/api v0.138.0/go.mod h1:4xyob8CxC+0GChNBvEUAk8VBKNvYOTWM9T3v3UfRxuY= +google.golang.org/api v0.139.0 h1:A1TrCPgMmOiYu0AiNkvQIpIx+D8blHTDcJ5EogkP7LI= +google.golang.org/api v0.139.0/go.mod h1:CVagp6Eekz9CjGZ718Z+sloknzkDJE7Vc1Ckj9+viBk= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= -google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d h1:VBu5YqKPv6XiJ199exd8Br+Aetz+o08F+PLMnwJQHAY= google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4= google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5 h1:nIgk/EEq3/YlnmVVXVnm14rC2oxgs1o0ong4sD/rd44= google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5/go.mod h1:5DZzOUPCLYL3mNkQ0ms0F3EuUNZ7py1Bqeq6sxzI7/Q= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d h1:uvYuEyMHKNt+lT4K3bN6fGswmK8qSvcreM3BwjDh+y4= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230911183012-2d3300fd4832 h1:o4LtQxebKIJ4vkzyhtD2rfUNZ20Zf0ik5YVP5E7G7VE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230911183012-2d3300fd4832/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= -google.golang.org/grpc v1.57.0 h1:kfzNeI/klCGD2YPMUlaGNT3pxvYfga7smW3Vth8Zsiw= -google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo= +google.golang.org/grpc v1.58.0 h1:32JY8YpPMSR45K+c3o6b8VL73V+rR8k+DeMIr4vRH8o= +google.golang.org/grpc v1.58.0/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -499,7 +467,6 @@ gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= From 72b41a615834f15db5ec29e9a5068aee296962a3 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Mon, 11 Sep 2023 23:13:44 +0200 Subject: [PATCH 073/135] build: pin actions to full length commit SHA Signed-off-by: Hidde Beydals --- .github/workflows/cli.yml | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml index 5e548f369..93b628336 100644 --- a/.github/workflows/cli.yml +++ b/.github/workflows/cli.yml @@ -6,7 +6,10 @@ on: - main pull_request: branches: - - main + - main + +permissions: + contents: read jobs: build: @@ -25,15 +28,15 @@ jobs: VAULT_ADDR: "http://127.0.0.1:8200" steps: - name: Set up Go 1.20 - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: '1.20' id: go - name: Check out code into the Go module directory - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - - uses: actions/cache@v3 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} @@ -62,14 +65,14 @@ jobs: - name: Upload artifact for Linux and Darwin if: matrix.os != 'windows' - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: sops-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} path: sops-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} - name: Upload artifact for Windows if: matrix.os == 'windows' - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: sops-${{ matrix.os }}-${{ github.sha }} path: sops-${{ matrix.os }}-${{ github.sha }} @@ -86,9 +89,9 @@ jobs: run: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s -- -y --default-toolchain 1.70.0 - name: Check out code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: sops-linux-amd64-${{ github.sha }} From d977df3cfee00a8c936c6c3de0f3dee8d9f72ca3 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Mon, 11 Sep 2023 23:22:32 +0200 Subject: [PATCH 074/135] build: add CodeQL workflow This enables CodeQL scanning to automatically catch certain common security and quality issues in the GitHub UI. Signed-off-by: Hidde Beydals --- .github/workflows/codeql.yml | 53 ++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..564a959b6 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,53 @@ +name: "CodeQL" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + # Ignore changes to common non-code files. + paths-ignore: + - '**/*.md' + - '**/*.rst' + - '**/*.txt' + - '**/*.yml' + - '**/*.yaml' + - '**/*.json' + - '**/*.ini' + - '**/*.env' + schedule: + - cron: '25 6 * * 3' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout code + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 + with: + languages: go + # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # xref: https://codeql.github.com/codeql-query-help/go/ + queries: security-and-quality + + # Build the project, and run CodeQL analysis. + # We do not make use of autobuild as this would run the first Make + # target, which includes a lot more than just the Go files we want to + # scan. + - name: Build + run: make install + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 + with: + category: "/language:go" From 083239ce6923c58a817ce459a5dcd2b3a3b38540 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Mon, 11 Sep 2023 23:40:28 +0200 Subject: [PATCH 075/135] Enable Dependabot for Docker, GH Actions and Go This enables Dependabot using three groups, one for container images, one for GitHub Actions, and one for Go Modules. In the future, we may want to split the Go Modules into multiple groups. For example, one for each key source with a misc catch-all group for any other dependency. xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates#grouping-dependabot-version-updates-into-one-pull-request Signed-off-by: Hidde Beydals --- .github/dependabot.yaml | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .github/dependabot.yaml diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 000000000..3d99d33af --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,41 @@ +version: 2 + +updates: + - package-ecosystem: "docker" + directory: "/" + labels: ["dependencies"] + schedule: + # By default, this will be on a Monday. + interval: "weekly" + groups: + # Group all updates together, so that they are all applied in a single PR. + # xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups + docker: + patterns: + - "*" + + - package-ecosystem: "github-actions" + directory: "/" + labels: ["area/CI", "dependencies"] + schedule: + # By default, this will be on a Monday. + interval: "weekly" + groups: + # Group all updates together, so that they are all applied in a single PR. + # xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups + ci: + patterns: + - "*" + + - package-ecosystem: "gomod" + directory: "/" + labels: ["dependencies"] + schedule: + # By default, this will be on a Monday. + interval: "weekly" + groups: + # Group all updates together, so that they are all applied in a single PR. + # xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups + go: + patterns: + - "*" From 59bf2f145d29cc7666a6d7d7f88d7b3f43098490 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Sep 2023 06:12:24 +0000 Subject: [PATCH 076/135] build(deps): Bump the go group with 2 updates Bumps the go group with 2 updates: [cloud.google.com/go/kms](https://github.com/googleapis/google-cloud-go) and [google.golang.org/api](https://github.com/googleapis/google-api-go-client). Updates `cloud.google.com/go/kms` from 1.15.1 to 1.15.2 - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/kms/v1.15.1...kms/v1.15.2) Updates `google.golang.org/api` from 0.139.0 to 0.140.0 - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.139.0...v0.140.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/kms dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go ... Signed-off-by: dependabot[bot] --- go.mod | 8 ++++---- go.sum | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index 62e5cffc2..7a2ec0364 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/getsops/sops/v3 go 1.19 require ( - cloud.google.com/go/kms v1.15.1 + cloud.google.com/go/kms v1.15.2 cloud.google.com/go/storage v1.33.0 filippo.io/age v1.1.1 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.2 @@ -37,7 +37,7 @@ require ( golang.org/x/net v0.15.0 golang.org/x/sys v0.12.0 golang.org/x/term v0.12.0 - google.golang.org/api v0.139.0 + google.golang.org/api v0.140.0 google.golang.org/genproto/googleapis/rpc v0.0.0-20230911183012-2d3300fd4832 google.golang.org/grpc v1.58.0 google.golang.org/protobuf v1.31.0 @@ -84,7 +84,7 @@ require ( github.com/golang-jwt/jwt/v5 v5.0.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/google/s2a-go v0.1.7 // indirect - github.com/google/uuid v1.3.0 // indirect + github.com/google/uuid v1.3.1 // indirect github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect github.com/googleapis/gax-go/v2 v2.12.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect @@ -117,7 +117,7 @@ require ( go.opencensus.io v0.24.0 // indirect golang.org/x/crypto v0.13.0 // indirect golang.org/x/mod v0.9.0 // indirect - golang.org/x/oauth2 v0.11.0 // indirect + golang.org/x/oauth2 v0.12.0 // indirect golang.org/x/sync v0.3.0 // indirect golang.org/x/text v0.13.0 // indirect golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect diff --git a/go.sum b/go.sum index 10a84ccab..691723ad2 100644 --- a/go.sum +++ b/go.sum @@ -7,8 +7,8 @@ cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGB cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= cloud.google.com/go/iam v1.1.1 h1:lW7fzj15aVIXYHREOqjRBV9PsH0Z6u8Y46a1YGvQP4Y= cloud.google.com/go/iam v1.1.1/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU= -cloud.google.com/go/kms v1.15.1 h1:HUC3fAoepH3RpcQXiJhXWWYizjQ5r7YjI7SO9ZbHf9s= -cloud.google.com/go/kms v1.15.1/go.mod h1:c9J991h5DTl+kg7gi3MYomh12YEENGrf48ee/N/2CDM= +cloud.google.com/go/kms v1.15.2 h1:lh6qra6oC4AyWe5fUUUBe/S27k12OHAleOOOw6KakdE= +cloud.google.com/go/kms v1.15.2/go.mod h1:3hopT4+7ooWRCjc2DxgnpESFxhIraaI2IpAVUEhbT/w= cloud.google.com/go/storage v1.33.0 h1:PVrDOkIC8qQVa1P3SXGpQvfuJhN2LHOoyZvWs8D2X5M= cloud.google.com/go/storage v1.33.0/go.mod h1:Hhh/dogNRGca7IWv1RC2YqEn0c0G77ctA/OxflYkiD8= filippo.io/age v1.1.1 h1:pIpO7l151hCnQ4BdyBujnGP2YlUo0uj6sAVNHGBvXHg= @@ -170,8 +170,8 @@ github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= -github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= +github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/enterprise-certificate-proxy v0.2.5 h1:UR4rDjcgpgEnqpIEvkiqTYKBCKLNmlge2eVjoZfySzM= github.com/googleapis/enterprise-certificate-proxy v0.2.5/go.mod h1:RxW0N9901Cko1VOCW3SXCpWP+mlIEkk2tP7jnHy9a3w= github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas= @@ -346,8 +346,8 @@ golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8= golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU= -golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk= +golang.org/x/oauth2 v0.12.0 h1:smVPGxink+n1ZI5pkQa8y6fZT0RW0MgCO5bFpepy4B4= +golang.org/x/oauth2 v0.12.0/go.mod h1:A74bZ3aGXgCY0qaIC9Ahg6Lglin4AMAco8cIv9baba4= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -425,8 +425,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -google.golang.org/api v0.139.0 h1:A1TrCPgMmOiYu0AiNkvQIpIx+D8blHTDcJ5EogkP7LI= -google.golang.org/api v0.139.0/go.mod h1:CVagp6Eekz9CjGZ718Z+sloknzkDJE7Vc1Ckj9+viBk= +google.golang.org/api v0.140.0 h1:CaXNdYOH5oQQI7l6iKTHHiMTdxZca4/02hRg2U8c2hM= +google.golang.org/api v0.140.0/go.mod h1:aGbCiFgtwb2P6badchFbSBUurV6oR5d50Af4iNJtDdI= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= From 6f054da64d110f52025f011afeab6ff7d9bbdbb3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Sep 2023 06:37:37 +0000 Subject: [PATCH 077/135] build(deps): Bump the ci group with 6 updates Bumps the ci group with 6 updates: | Package | From | To | | --- | --- | --- | | [actions/setup-go](https://github.com/actions/setup-go) | `3.5.0` | `4.1.0` | | [actions/checkout](https://github.com/actions/checkout) | `3.5.3` | `4.0.0` | | [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `3.1.1` | `3.1.2` | | [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `2.9.1` | `2.10.0` | | [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) | `4.3.0` | `5.0.0` | | [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) | `1.8.0` | `1.9.0` | Updates `actions/setup-go` from 3.5.0 to 4.1.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/v3.5.0...93397bea11091df50f3d7e59dc26a7711a8bcfbe) Updates `actions/checkout` from 3.5.3 to 4.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3.5.3...3df4ab11eba7bda6032a0b82a6bb43b11571feac) Updates `sigstore/cosign-installer` from 3.1.1 to 3.1.2 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/6e04d228eb30da1757ee4e1dd75a0ec73a653e06...11086d25041f77fe8fe7b9ea4e48e3b9192b8f19) Updates `docker/setup-buildx-action` from 2.9.1 to 2.10.0 - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/4c0219f9ac95b02789c1075625400b2acbff50b1...885d1462b80bc1c1c7f0b00334ad271f09369c55) Updates `goreleaser/goreleaser-action` from 4.3.0 to 5.0.0 - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](https://github.com/goreleaser/goreleaser-action/compare/336e29918d653399e599bfca99fadc1d7ffbc9f7...7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8) Updates `slsa-framework/slsa-github-generator` from 1.8.0 to 1.9.0 - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ci - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci ... Signed-off-by: dependabot[bot] --- .github/workflows/cli.yml | 6 +++--- .github/workflows/release.yml | 16 ++++++++-------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml index 93b628336..be3fb375f 100644 --- a/.github/workflows/cli.yml +++ b/.github/workflows/cli.yml @@ -28,13 +28,13 @@ jobs: VAULT_ADDR: "http://127.0.0.1:8200" steps: - name: Set up Go 1.20 - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: '1.20' id: go - name: Check out code into the Go module directory - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v3.6.0 - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: @@ -89,7 +89,7 @@ jobs: run: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s -- -y --default-toolchain 1.70.0 - name: Check out code - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v3.6.0 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0b7168b02..66c13c6f0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,12 +24,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 with: fetch-depth: 0 - name: Setup Go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.1 with: go-version: 1.20.x cache: false @@ -38,13 +38,13 @@ jobs: uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 - name: Setup Cosign - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1 + uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 - name: Setup QEMU uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 - name: Setup Docker Buildx - uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 + uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0 - name: Login to GitHub Container Registry uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 @@ -62,7 +62,7 @@ jobs: - name: Run GoReleaser id: goreleaser - uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0 + uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 with: version: 1.20.x args: release --clean --timeout 1h @@ -156,7 +156,7 @@ jobs: id-token: write # For creating OIDC tokens for signing. contents: write # For adding assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.8.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 with: base64-subjects: "${{ needs.combine-subjects.outputs.all-subjects }}" upload-assets: true @@ -173,7 +173,7 @@ jobs: strategy: matrix: ${{ fromJSON(needs.release.outputs.container-subjects) }} - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.8.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 with: image: ghcr.io/${{ matrix.image }} digest: ${{ matrix.digest }} @@ -192,7 +192,7 @@ jobs: strategy: matrix: ${{ fromJSON(needs.release.outputs.container-subjects) }} - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.8.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 with: image: quay.io/${{ matrix.image }} digest: ${{ matrix.digest }} From c26580d2705b91f35edae54eb2eea3761f78177f Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 12 Sep 2023 00:38:53 +0200 Subject: [PATCH 078/135] release: generate versioned `.intoto.jsonl` This ensures the file name is unique per release, and can be linked by file name to the specific SOPS version it is targeted at. Signed-off-by: Hidde Beydals --- .github/workflows/release.yml | 13 +++++++++++-- .goreleaser.yaml | 6 +++--- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 66c13c6f0..0d9656645 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,6 +17,7 @@ jobs: packages: write # For pushing and signing container images. outputs: + version: "${{ steps.release-metadata.outputs.version }}" artifact-subjects: "${{ steps.artifact-hashes.outputs.subjects }}" package-subjects: "${{ steps.package-hashes.outputs.subjects }}" sbom-subjects: "${{ steps.sbom-hashes.outputs.subjects }}" @@ -69,6 +70,14 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Extract release metadata + id: release-metadata + env: + METADATA: "${{ steps.goreleaser.outputs.metadata }}" + run: | + set -euo pipefail + echo "version=$(echo -E $METADATA | jq -r '.version')" >> "$GITHUB_OUTPUT" + - name: Extract artifact subjects id: artifact-hashes env: @@ -149,7 +158,7 @@ jobs: echo "subjects=$(echo "$all_subjects" | base64 -w0)" >> "$GITHUB_OUTPUT" assets-provenance: - needs: [ combine-subjects ] + needs: [ release, combine-subjects ] permissions: actions: read # For detecting the GitHub Actions environment. @@ -160,7 +169,7 @@ jobs: with: base64-subjects: "${{ needs.combine-subjects.outputs.all-subjects }}" upload-assets: true - provenance-name: "provenance.intoto.jsonl" + provenance-name: "sops-v${{ needs.release.outputs.version }}.intoto.jsonl" ghcr-container-provenance: needs: [ release ] diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 17b173aa9..b28f8d52c 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -321,15 +321,15 @@ release: ### Verify artifact provenance - The [SLSA provenance](https://slsa.dev/provenance/v0.2) of the binaries, packages, and SBOMs can be found within the artifacts associated with this release. It is presented through an [in-toto](https://in-toto.io/) link metadata file named `provenance.intoto.jsonl`. To verify the provenance of an artifact, you can utilize the [`slsa-verifier`](https://github.com/slsa-framework/slsa-verifier#artifacts) tool: + The [SLSA provenance](https://slsa.dev/provenance/v0.2) of the binaries, packages, and SBOMs can be found within the artifacts associated with this release. It is presented through an [in-toto](https://in-toto.io/) link metadata file named `sops-v{{ .Version }}.intoto.jsonl`. To verify the provenance of an artifact, you can utilize the [`slsa-verifier`](https://github.com/slsa-framework/slsa-verifier#artifacts) tool: ```shell # Download the metadata file - curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/provenance.intoto.jsonl + curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/sops-v{{ .Version }}.intoto.jsonl # Verify the provenance of the artifact slsa-verifier verify-artifact \ - --provenance-path provenance.intoto.jsonl \ + --provenance-path sops-v{{ .Version }}.intoto.jsonl \ --source-uri github.com/{{ .Env.GITHUB_REPOSITORY }} \ --source-tag {{ .Tag }} ``` From d9dcd44f0357501194be61c0e8dbcfdfdb7e1ab2 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 12 Sep 2023 09:20:26 +0200 Subject: [PATCH 079/135] build: fix indentation Dependabot file Signed-off-by: Hidde Beydals --- .github/dependabot.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index 3d99d33af..64a3fa8e3 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -11,7 +11,7 @@ updates: # Group all updates together, so that they are all applied in a single PR. # xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups docker: - patterns: + patterns: - "*" - package-ecosystem: "github-actions" From da64d83091993230df9831058ad00aa0eec8ccf8 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Wed, 13 Sep 2023 00:04:30 +0200 Subject: [PATCH 080/135] pgp: remove `DisableAgent` option This option actually gives a false impression, as disabling the agent is no longer possible since GnuPG 2.x. ``` --use-agent --no-use-agent This is dummy option. gpg always requires the agent. ``` xref: https://www.gnupg.org/documentation/manuals/gnupg24/gpg.1.html Signed-off-by: Hidde Beydals --- pgp/keysource.go | 16 +--------------- pgp/keysource_test.go | 6 ------ 2 files changed, 1 insertion(+), 21 deletions(-) diff --git a/pgp/keysource.go b/pgp/keysource.go index 6bbc33d86..e7f82c88f 100644 --- a/pgp/keysource.go +++ b/pgp/keysource.go @@ -20,9 +20,9 @@ import ( "github.com/ProtonMail/go-crypto/openpgp" "github.com/ProtonMail/go-crypto/openpgp/armor" + gpgagent "github.com/getsops/gopgagent" "github.com/getsops/sops/v3/logging" "github.com/sirupsen/logrus" - gpgagent "github.com/getsops/gopgagent" "golang.org/x/term" ) @@ -73,9 +73,6 @@ type MasterKey struct { // It can be injected by a (local) keyservice.KeyServiceServer using // GnuPGHome.ApplyToMasterKey(). gnuPGHomeDir string - // disableAgent instructs the MasterKey to not use the GnuPG agent during - // decryption operations. - disableAgent bool // disableOpenPGP instructs the MasterKey to skip attempting to open any // pubRing or secRing using OpenPGP. disableOpenPGP bool @@ -201,14 +198,6 @@ func (d GnuPGHome) ApplyToMasterKey(key *MasterKey) { } } -// DisableAgent disables the GnuPG agent for a MasterKey. -type DisableAgent struct{} - -// ApplyToMasterKey configures the provided key to not use the GnuPG agent. -func (d DisableAgent) ApplyToMasterKey(key *MasterKey) { - key.disableAgent = true -} - // DisableOpenPGP disables encrypt and decrypt operations using OpenPGP. type DisableOpenPGP struct{} @@ -418,9 +407,6 @@ func (key *MasterKey) decryptWithGnuPG() ([]byte, error) { args := []string{ "-d", } - if !key.disableAgent { - args = append([]string{"--use-agent"}, args...) - } err, stdout, stderr := gpgExec(key.gnuPGHome(), args, strings.NewReader(key.EncryptedKey)) if err != nil { return nil, fmt.Errorf("failed to decrypt sops data key with pgp: %s", diff --git a/pgp/keysource_test.go b/pgp/keysource_test.go index 1c7c436b4..58cb32040 100644 --- a/pgp/keysource_test.go +++ b/pgp/keysource_test.go @@ -148,12 +148,6 @@ func TestGnuPGHome_ApplyToMasterKey(t *testing.T) { assert.NotEqual(t, gnuPGHome.String(), key.gnuPGHomeDir) } -func TestDisableAgent_ApplyToMasterKey(t *testing.T) { - key := NewMasterKeyFromFingerprint(mockFingerprint) - DisableAgent{}.ApplyToMasterKey(key) - assert.True(t, key.disableAgent) -} - func TestDisableOpenPGP_ApplyToMasterKey(t *testing.T) { key := NewMasterKeyFromFingerprint(mockFingerprint) DisableOpenPGP{}.ApplyToMasterKey(key) From 51a4b4c32c148981b6a4c2dbfa65bb1aa18b6bf0 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 12 Sep 2023 23:55:49 +0200 Subject: [PATCH 081/135] keyservices: address logging regression Replace the logging of failed encryption and decryption attempts from error to info level. This to address a regression in which an encryption or decryption attempt with a series of keys would result in a list of failed attempts logged to stderr even when the operation itself eventually succeeded. Signed-off-by: Hidde Beydals --- age/keysource.go | 18 +++++++++--------- azkv/keysource.go | 14 +++++++------- gcpkms/keysource.go | 10 +++++----- hcvault/keysource.go | 12 ++++++------ kms/keysource.go | 10 +++++----- pgp/keysource.go | 4 ++-- 6 files changed, 34 insertions(+), 34 deletions(-) diff --git a/age/keysource.go b/age/keysource.go index 837333e17..a83d1a5c2 100644 --- a/age/keysource.go +++ b/age/keysource.go @@ -11,8 +11,8 @@ import ( "filippo.io/age" "filippo.io/age/armor" - "github.com/sirupsen/logrus" "github.com/getsops/sops/v3/logging" + "github.com/sirupsen/logrus" ) const ( @@ -124,7 +124,7 @@ func (key *MasterKey) Encrypt(dataKey []byte) error { if key.parsedRecipient == nil { parsedRecipient, err := parseRecipient(key.Recipient) if err != nil { - log.WithField("recipient", key.parsedRecipient).Error("Encryption failed") + log.WithField("recipient", key.parsedRecipient).Info("Encryption failed") return err } key.parsedRecipient = parsedRecipient @@ -134,19 +134,19 @@ func (key *MasterKey) Encrypt(dataKey []byte) error { aw := armor.NewWriter(&buffer) w, err := age.Encrypt(aw, key.parsedRecipient) if err != nil { - log.WithField("recipient", key.parsedRecipient).Error("Encryption failed") + log.WithField("recipient", key.parsedRecipient).Info("Encryption failed") return fmt.Errorf("failed to create writer for encrypting sops data key with age: %w", err) } if _, err := w.Write(dataKey); err != nil { - log.WithField("recipient", key.parsedRecipient).Error("Encryption failed") + log.WithField("recipient", key.parsedRecipient).Info("Encryption failed") return fmt.Errorf("failed to encrypt sops data key with age: %w", err) } if err := w.Close(); err != nil { - log.WithField("recipient", key.parsedRecipient).Error("Encryption failed") + log.WithField("recipient", key.parsedRecipient).Info("Encryption failed") return fmt.Errorf("failed to close writer for encrypting sops data key with age: %w", err) } if err := aw.Close(); err != nil { - log.WithField("recipient", key.parsedRecipient).Error("Encryption failed") + log.WithField("recipient", key.parsedRecipient).Info("Encryption failed") return fmt.Errorf("failed to close armored writer: %w", err) } @@ -180,7 +180,7 @@ func (key *MasterKey) Decrypt() ([]byte, error) { if len(key.parsedIdentities) == 0 { ids, err := key.loadIdentities() if err != nil { - log.Error("Decryption failed") + log.Info("Decryption failed") return nil, fmt.Errorf("failed to load age identities: %w", err) } ids.ApplyToMasterKey(key) @@ -190,13 +190,13 @@ func (key *MasterKey) Decrypt() ([]byte, error) { ar := armor.NewReader(src) r, err := age.Decrypt(ar, key.parsedIdentities...) if err != nil { - log.Error("Decryption failed") + log.Info("Decryption failed") return nil, fmt.Errorf("failed to create reader for decrypting sops data key with age: %w", err) } var b bytes.Buffer if _, err := io.Copy(&b, r); err != nil { - log.Error("Decryption failed") + log.Info("Decryption failed") return nil, fmt.Errorf("failed to copy age decrypted data into bytes.Buffer: %w", err) } diff --git a/azkv/keysource.go b/azkv/keysource.go index 6222adc4e..0646ac561 100644 --- a/azkv/keysource.go +++ b/azkv/keysource.go @@ -117,13 +117,13 @@ func (t TokenCredential) ApplyToMasterKey(key *MasterKey) { func (key *MasterKey) Encrypt(dataKey []byte) error { token, err := key.getTokenCredential() if err != nil { - log.WithFields(logrus.Fields{"key": key.Name, "version": key.Version}).Error("Encryption failed") + log.WithFields(logrus.Fields{"key": key.Name, "version": key.Version}).Info("Encryption failed") return fmt.Errorf("failed to get Azure token credential to encrypt data: %w", err) } c, err := azkeys.NewClient(key.VaultURL, token, nil) if err != nil { - log.WithFields(logrus.Fields{"key": key.Name, "version": key.Version}).Error("Encryption failed") + log.WithFields(logrus.Fields{"key": key.Name, "version": key.Version}).Info("Encryption failed") return fmt.Errorf("failed to construct Azure Key Vault client to encrypt data: %w", err) } @@ -132,7 +132,7 @@ func (key *MasterKey) Encrypt(dataKey []byte) error { Value: dataKey, }, nil) if err != nil { - log.WithFields(logrus.Fields{"key": key.Name, "version": key.Version}).Error("Encryption failed") + log.WithFields(logrus.Fields{"key": key.Name, "version": key.Version}).Info("Encryption failed") return fmt.Errorf("failed to encrypt sops data key with Azure Key Vault key '%s': %w", key.ToString(), err) } @@ -166,19 +166,19 @@ func (key *MasterKey) EncryptIfNeeded(dataKey []byte) error { func (key *MasterKey) Decrypt() ([]byte, error) { token, err := key.getTokenCredential() if err != nil { - log.WithFields(logrus.Fields{"key": key.Name, "version": key.Version}).Error("Decryption failed") + log.WithFields(logrus.Fields{"key": key.Name, "version": key.Version}).Info("Decryption failed") return nil, fmt.Errorf("failed to get Azure token credential to decrypt: %w", err) } rawEncryptedKey, err := base64.RawURLEncoding.DecodeString(key.EncryptedKey) if err != nil { - log.WithFields(logrus.Fields{"key": key.Name, "version": key.Version}).Error("Decryption failed") + log.WithFields(logrus.Fields{"key": key.Name, "version": key.Version}).Info("Decryption failed") return nil, fmt.Errorf("failed to base64 decode Azure Key Vault encrypted key: %w", err) } c, err := azkeys.NewClient(key.VaultURL, token, nil) if err != nil { - log.WithFields(logrus.Fields{"key": key.Name, "version": key.Version}).Error("Decryption failed") + log.WithFields(logrus.Fields{"key": key.Name, "version": key.Version}).Info("Decryption failed") return nil, fmt.Errorf("failed to construct Azure Key Vault client to decrypt data: %w", err) } @@ -187,7 +187,7 @@ func (key *MasterKey) Decrypt() ([]byte, error) { Value: rawEncryptedKey, }, nil) if err != nil { - log.WithFields(logrus.Fields{"key": key.Name, "version": key.Version}).Error("Decryption failed") + log.WithFields(logrus.Fields{"key": key.Name, "version": key.Version}).Info("Decryption failed") return nil, fmt.Errorf("failed to decrypt sops data key with Azure Key Vault key '%s': %w", key.ToString(), err) } log.WithFields(logrus.Fields{"key": key.Name, "version": key.Version}).Info("Decryption succeeded") diff --git a/gcpkms/keysource.go b/gcpkms/keysource.go index b4ebbff3e..3ef97b445 100644 --- a/gcpkms/keysource.go +++ b/gcpkms/keysource.go @@ -94,7 +94,7 @@ func (c CredentialJSON) ApplyToMasterKey(key *MasterKey) { func (key *MasterKey) Encrypt(dataKey []byte) error { service, err := key.newKMSClient() if err != nil { - log.WithField("resourceID", key.ResourceID).Error("Encryption failed") + log.WithField("resourceID", key.ResourceID).Info("Encryption failed") return fmt.Errorf("cannot create GCP KMS service: %w", err) } defer func() { @@ -110,7 +110,7 @@ func (key *MasterKey) Encrypt(dataKey []byte) error { ctx := context.Background() resp, err := service.Encrypt(ctx, req) if err != nil { - log.WithField("resourceID", key.ResourceID).Error("Encryption failed") + log.WithField("resourceID", key.ResourceID).Info("Encryption failed") return fmt.Errorf("failed to encrypt sops data key with GCP KMS key: %w", err) } // NB: base64 encoding is for compatibility with SOPS <=3.8.x. @@ -145,7 +145,7 @@ func (key *MasterKey) EncryptIfNeeded(dataKey []byte) error { func (key *MasterKey) Decrypt() ([]byte, error) { service, err := key.newKMSClient() if err != nil { - log.WithField("resourceID", key.ResourceID).Error("Decryption failed") + log.WithField("resourceID", key.ResourceID).Info("Decryption failed") return nil, fmt.Errorf("cannot create GCP KMS service: %w", err) } defer func() { @@ -158,7 +158,7 @@ func (key *MasterKey) Decrypt() ([]byte, error) { // client used to work with base64 encoded strings. decodedCipher, err := base64.StdEncoding.DecodeString(string(key.EncryptedDataKey())) if err != nil { - log.WithField("resourceID", key.ResourceID).Error("Decryption failed") + log.WithField("resourceID", key.ResourceID).Info("Decryption failed") return nil, err } @@ -169,7 +169,7 @@ func (key *MasterKey) Decrypt() ([]byte, error) { ctx := context.Background() resp, err := service.Decrypt(ctx, req) if err != nil { - log.WithField("resourceID", key.ResourceID).Error("Decryption failed") + log.WithField("resourceID", key.ResourceID).Info("Decryption failed") return nil, fmt.Errorf("failed to decrypt sops data key with GCP KMS key: %w", err) } diff --git a/hcvault/keysource.go b/hcvault/keysource.go index d2aba26f1..128115705 100644 --- a/hcvault/keysource.go +++ b/hcvault/keysource.go @@ -130,18 +130,18 @@ func (key *MasterKey) Encrypt(dataKey []byte) error { client, err := vaultClient(key.VaultAddress, key.token) if err != nil { - log.WithField("Path", fullPath).Error("Encryption failed") + log.WithField("Path", fullPath).Info("Encryption failed") return err } secret, err := client.Logical().Write(fullPath, encryptPayload(dataKey)) if err != nil { - log.WithField("Path", fullPath).Error("Encryption failed") + log.WithField("Path", fullPath).Info("Encryption failed") return fmt.Errorf("failed to encrypt sops data key to Vault transit backend '%s': %w", fullPath, err) } encryptedKey, err := encryptedKeyFromSecret(secret) if err != nil { - log.WithField("Path", fullPath).Error("Encryption failed") + log.WithField("Path", fullPath).Info("Encryption failed") return fmt.Errorf("failed to encrypt sops data key to Vault transit backend '%s': %w", fullPath, err) } @@ -175,18 +175,18 @@ func (key *MasterKey) Decrypt() ([]byte, error) { client, err := vaultClient(key.VaultAddress, key.token) if err != nil { - log.WithField("Path", fullPath).Error("Decryption failed") + log.WithField("Path", fullPath).Info("Decryption failed") return nil, err } secret, err := client.Logical().Write(fullPath, decryptPayload(key.EncryptedKey)) if err != nil { - log.WithField("Path", fullPath).Error("Decryption failed") + log.WithField("Path", fullPath).Info("Decryption failed") return nil, fmt.Errorf("failed to decrypt sops data key from Vault transit backend '%s': %w", fullPath, err) } dataKey, err := dataKeyFromSecret(secret) if err != nil { - log.WithField("Path", fullPath).Error("Decryption failed") + log.WithField("Path", fullPath).Info("Decryption failed") return nil, fmt.Errorf("failed to decrypt sops data key from Vault transit backend '%s': %w", fullPath, err) } diff --git a/kms/keysource.go b/kms/keysource.go index 47c369b36..a28398090 100644 --- a/kms/keysource.go +++ b/kms/keysource.go @@ -194,7 +194,7 @@ func (c CredentialsProvider) ApplyToMasterKey(key *MasterKey) { func (key *MasterKey) Encrypt(dataKey []byte) error { cfg, err := key.createKMSConfig() if err != nil { - log.WithField("arn", key.Arn).Error("Encryption failed") + log.WithField("arn", key.Arn).Info("Encryption failed") return err } client := key.createClient(cfg) @@ -205,7 +205,7 @@ func (key *MasterKey) Encrypt(dataKey []byte) error { } out, err := client.Encrypt(context.TODO(), input) if err != nil { - log.WithField("arn", key.Arn).Error("Encryption failed") + log.WithField("arn", key.Arn).Info("Encryption failed") return fmt.Errorf("failed to encrypt sops data key with AWS KMS: %w", err) } key.EncryptedKey = base64.StdEncoding.EncodeToString(out.CiphertextBlob) @@ -237,12 +237,12 @@ func (key *MasterKey) SetEncryptedDataKey(enc []byte) { func (key *MasterKey) Decrypt() ([]byte, error) { k, err := base64.StdEncoding.DecodeString(key.EncryptedKey) if err != nil { - log.WithField("arn", key.Arn).Error("Decryption failed") + log.WithField("arn", key.Arn).Info("Decryption failed") return nil, fmt.Errorf("error base64-decoding encrypted data key: %s", err) } cfg, err := key.createKMSConfig() if err != nil { - log.WithField("arn", key.Arn).Error("Decryption failed") + log.WithField("arn", key.Arn).Info("Decryption failed") return nil, err } client := key.createClient(cfg) @@ -253,7 +253,7 @@ func (key *MasterKey) Decrypt() ([]byte, error) { } decrypted, err := client.Decrypt(context.TODO(), input) if err != nil { - log.WithField("arn", key.Arn).Error("Decryption failed") + log.WithField("arn", key.Arn).Info("Decryption failed") return nil, fmt.Errorf("failed to decrypt sops data key with AWS KMS: %w", err) } log.WithField("arn", key.Arn).Info("Decryption succeeded") diff --git a/pgp/keysource.go b/pgp/keysource.go index e7f82c88f..b6c77bde0 100644 --- a/pgp/keysource.go +++ b/pgp/keysource.go @@ -257,7 +257,7 @@ func (key *MasterKey) Encrypt(dataKey []byte) error { } errs = append(errs, fmt.Errorf("GnuPG binary error: %w", binaryErr)) - log.WithField("fingerprint", key.Fingerprint).Error("Encryption failed") + log.WithField("fingerprint", key.Fingerprint).Info("Encryption failed") return fmt.Errorf("could not encrypt data key with PGP key: %w", errs) } @@ -368,7 +368,7 @@ func (key *MasterKey) Decrypt() ([]byte, error) { } errs = append(errs, fmt.Errorf("GnuPG binary error: %w", binaryErr)) - log.WithField("fingerprint", key.Fingerprint).Error("Decryption failed") + log.WithField("fingerprint", key.Fingerprint).Info("Decryption failed") return nil, fmt.Errorf("could not decrypt data key with PGP key: %w", errs) } From c26b4c9c9feff4598fd33f50bd9929b7595d8917 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 14 Sep 2023 23:36:27 +0200 Subject: [PATCH 082/135] chore: update dependencies - google.golang.org/api to v0.141.0 - google.golang.org/genproto/googleapis/rpc to v0.0.0-20230913181813-007df8e322eb - google.golang.org/grpc to v1.58.1 Signed-off-by: Hidde Beydals --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 7a2ec0364..fb0bf6aad 100644 --- a/go.mod +++ b/go.mod @@ -37,9 +37,9 @@ require ( golang.org/x/net v0.15.0 golang.org/x/sys v0.12.0 golang.org/x/term v0.12.0 - google.golang.org/api v0.140.0 - google.golang.org/genproto/googleapis/rpc v0.0.0-20230911183012-2d3300fd4832 - google.golang.org/grpc v1.58.0 + google.golang.org/api v0.141.0 + google.golang.org/genproto/googleapis/rpc v0.0.0-20230913181813-007df8e322eb + google.golang.org/grpc v1.58.1 google.golang.org/protobuf v1.31.0 gopkg.in/ini.v1 v1.67.0 gopkg.in/yaml.v3 v3.0.1 diff --git a/go.sum b/go.sum index 691723ad2..5c92b4553 100644 --- a/go.sum +++ b/go.sum @@ -425,8 +425,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -google.golang.org/api v0.140.0 h1:CaXNdYOH5oQQI7l6iKTHHiMTdxZca4/02hRg2U8c2hM= -google.golang.org/api v0.140.0/go.mod h1:aGbCiFgtwb2P6badchFbSBUurV6oR5d50Af4iNJtDdI= +google.golang.org/api v0.141.0 h1:Df6vfMgDoIM6ss0m7H4MPwFwY87WNXHfBIda/Bmfl4E= +google.golang.org/api v0.141.0/go.mod h1:iZqLkdPlXKyG0b90eu6KxVSE4D/ccRF2e/doKD2CnQQ= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= @@ -438,15 +438,15 @@ google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d h1:VBu5YqKPv6XiJ19 google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4= google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5 h1:nIgk/EEq3/YlnmVVXVnm14rC2oxgs1o0ong4sD/rd44= google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5/go.mod h1:5DZzOUPCLYL3mNkQ0ms0F3EuUNZ7py1Bqeq6sxzI7/Q= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230911183012-2d3300fd4832 h1:o4LtQxebKIJ4vkzyhtD2rfUNZ20Zf0ik5YVP5E7G7VE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230911183012-2d3300fd4832/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230913181813-007df8e322eb h1:Isk1sSH7bovx8Rti2wZK0UZF6oraBDK74uoyLEEVFN0= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230913181813-007df8e322eb/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.58.0 h1:32JY8YpPMSR45K+c3o6b8VL73V+rR8k+DeMIr4vRH8o= -google.golang.org/grpc v1.58.0/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0= +google.golang.org/grpc v1.58.1 h1:OL+Vz23DTtrrldqHK49FUOPHyY75rvFqJfXC84NYW58= +google.golang.org/grpc v1.58.1/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= From 2a3bfe31e81299f4a5a81b239342ebe06a7c391c Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Thu, 14 Sep 2023 23:41:52 +0200 Subject: [PATCH 083/135] Prepare v3.8.0 Signed-off-by: Hidde Beydals --- CHANGELOG.rst | 16 ++++++++++------ version/version.go | 2 +- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 5cf264db3..f119dcbb2 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,8 +1,8 @@ Changelog ========= -3.8.0-rc.1 ----------- +3.8.0 +----- Features: * Support ``--version`` without network requests using ``--disable-version-check`` (#1115) @@ -10,7 +10,7 @@ Features: Improvements: -* pgp: modernize and improve, and add tests (#1054) +* pgp: modernize and improve, and add tests (#1054, #1282) * azkv: update SDK to latest, add tests, tidy (#1067, #1092, #1256) * age: improve identity loading, add tests, tidy (#1064) * kms: AWS SDK V2, allow creds config, add tests (#1065, #1257) @@ -19,15 +19,15 @@ Improvements: * Do not report version when upstream ``--version`` check fails (#1124) * Use GitHub endpoints in ``--version`` command (#1261) * Close temporary file before invoking editor to widen support on Windows (#1265) -* Update dependencies (#1063, #1091, #1147, #1242, #1260, #1264) +* Update dependencies (#1063, #1091, #1147, #1242, #1260, #1264, #1275, #1280, #1283) * Deal with various deprecations of dependencies (#1113, #1262) Bug fixes: * Ensure YAML comments are not displaced (#1069) * Ensure default Google credentials can be used again after introduction of ``GOOGLE_CREDENTIALS`` (#1249) -* Avoid duplicate logging of errors in some key sources (#1146) -* Using `--set` on a root level key does no longer truncate existing values (#899) +* Avoid duplicate logging of errors in some key sources (#1146, #1281) +* Using ``--set`` on a root level key does no longer truncate existing values (#899) * Ensure stable order of SOPS parameters in dotenv file (#1101) Project changes: @@ -45,6 +45,10 @@ Project changes: * Improve Make targets and address various issues (#1258) * Ensure clean working tree in CI (#1267) * Fix CHANGELOG.rst formatting (#1269) +* Pin GitHub Actions to full length commit SHA and add CodeQL (#1276) +* Enable Dependabot for Docker, GitHub Actions and Go Mod (#1277) +* Generate versioned ``.intoto.jsonl`` (#1278) +* Update CI dependencies (#1279) 3.7.3 ----- diff --git a/version/version.go b/version/version.go index 006a16152..161bdcdea 100644 --- a/version/version.go +++ b/version/version.go @@ -12,7 +12,7 @@ import ( ) // Version represents the value of the current semantic version. -var Version = "3.7.3" +var Version = "3.8.0" // PrintVersion prints the current version of sops. If the flag // `--disable-version-check` is set, the function will not attempt From 00100abbf3b4c51f6717b3d00fd62df2db04e4d6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Sep 2023 09:52:16 +0000 Subject: [PATCH 084/135] build(deps): Bump the ci group with 3 updates Bumps the ci group with 3 updates: [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action), [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) and [docker/login-action](https://github.com/docker/login-action). Updates `docker/setup-qemu-action` from 2.2.0 to 3.0.0 - [Release notes](https://github.com/docker/setup-qemu-action/releases) - [Commits](https://github.com/docker/setup-qemu-action/compare/2b82ce82d56a2a04d2637cd93a637ae1b359c0a7...68827325e0b33c7199eb31dd4e31fbe9023e06e3) Updates `docker/setup-buildx-action` from 2.10.0 to 3.0.0 - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/885d1462b80bc1c1c7f0b00334ad271f09369c55...f95db51fddba0c2d1ec667646a06c2ce06100226) Updates `docker/login-action` from 2.2.0 to 3.0.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/465a07811f14bebb1938fbed4728c6a1ff8901fc...343f7c4344506bcbf9b4de18042ae17996df046d) --- updated-dependencies: - dependency-name: docker/setup-qemu-action dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci ... Signed-off-by: dependabot[bot] --- .github/workflows/release.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0d9656645..f1a1a0340 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -42,20 +42,20 @@ jobs: uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 - name: Setup QEMU - uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Setup Docker Buildx - uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0 + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - name: Login to GitHub Container Registry - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Quay.io - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: quay.io username: ${{ secrets.QUAY_BOT_USERNAME }} From 7e454de2c0630bc84f6da92ce1af0d542c551b1b Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 19 Sep 2023 22:41:31 +0200 Subject: [PATCH 085/135] pgp: improve handling of GnuPG home dir There have been reports about the new logic breaking certain GnuPG shims (#1294). As this behavior is only really required when SDK users are making use of the GnuPG using SOPS as an SDK. Prefer any runtime configuration when no custom GnuPG home is configured on the key source, instead of providing an absolute `--homedir` to `gpg`. Signed-off-by: Hidde Beydals --- pgp/keysource.go | 51 ++++++++++++++++++++++--------------------- pgp/keysource_test.go | 36 +++++++++++++++--------------- 2 files changed, 43 insertions(+), 44 deletions(-) diff --git a/pgp/keysource.go b/pgp/keysource.go index b6c77bde0..ffeb0b1a2 100644 --- a/pgp/keysource.go +++ b/pgp/keysource.go @@ -318,7 +318,7 @@ func (key *MasterKey) encryptWithGnuPG(dataKey []byte) error { fingerprint, "--no-encrypt-to", } - err, stdout, stderr := gpgExec(key.gnuPGHome(), args, bytes.NewReader(dataKey)) + err, stdout, stderr := gpgExec(key.gnuPGHomeDir, args, bytes.NewReader(dataKey)) if err != nil { return fmt.Errorf("failed to encrypt sops data key with pgp: %s", strings.TrimSpace(stderr.String())) } @@ -407,7 +407,7 @@ func (key *MasterKey) decryptWithGnuPG() ([]byte, error) { args := []string{ "-d", } - err, stdout, stderr := gpgExec(key.gnuPGHome(), args, strings.NewReader(key.EncryptedKey)) + err, stdout, stderr := gpgExec(key.gnuPGHomeDir, args, strings.NewReader(key.EncryptedKey)) if err != nil { return nil, fmt.Errorf("failed to decrypt sops data key with pgp: %s", strings.TrimSpace(stderr.String())) @@ -436,27 +436,6 @@ func (key MasterKey) ToMap() map[string]interface{} { return out } -// gnuPGHome determines the GnuPG home directory for the MasterKey, and returns -// its path. In order of preference: -// 1. MasterKey.gnuPGHomeDir -// 2. $GNUPGHOME -// 3. user.Current().HomeDir/.gnupg -// 4. $HOME/.gnupg -func (key *MasterKey) gnuPGHome() string { - if key.gnuPGHomeDir == "" { - dir := os.Getenv("GNUPGHOME") - if dir == "" { - usr, err := user.Current() - if err != nil { - return filepath.Join(os.Getenv("HOME"), ".gnupg") - } - return filepath.Join(usr.HomeDir, ".gnupg") - } - return dir - } - return key.gnuPGHomeDir -} - // retrievePubKey attempts to retrieve the public key from the public keyring // by Fingerprint. func (key *MasterKey) retrievePubKey() (openpgp.Entity, error) { @@ -479,7 +458,7 @@ func (key *MasterKey) retrievePubKey() (openpgp.Entity, error) { func (key *MasterKey) getPubRing() (openpgp.EntityList, error) { path := key.pubRing if path == "" { - path = filepath.Join(key.gnuPGHome(), defaultPubRing) + path = filepath.Join(gnuPGHome(key.gnuPGHomeDir), defaultPubRing) } return loadRing(path) } @@ -490,7 +469,7 @@ func (key *MasterKey) getPubRing() (openpgp.EntityList, error) { func (key *MasterKey) getSecRing() (openpgp.EntityList, error) { path := key.secRing if path == "" { - path = filepath.Join(key.gnuPGHome(), defaultSecRing) + path = filepath.Join(gnuPGHome(key.gnuPGHomeDir), defaultSecRing) } if _, err := os.Lstat(path); err != nil { if !os.IsNotExist(err) { @@ -609,6 +588,28 @@ func gpgBinary() string { return binary } +// gnuPGHome determines the GnuPG home directory, and returns its path. +// In order of preference: +// 1. customPath +// 2. $GNUPGHOME +// 3. user.Current().HomeDir/.gnupg +// 4. $HOME/.gnupg +func gnuPGHome(customPath string) string { + if customPath != "" { + return customPath + } + + dir := os.Getenv("GNUPGHOME") + if dir == "" { + usr, err := user.Current() + if err != nil { + return filepath.Join(os.Getenv("HOME"), ".gnupg") + } + return filepath.Join(usr.HomeDir, ".gnupg") + } + return dir +} + // shortenFingerprint returns the short ID of the given fingerprint. // This is mostly used for compatability reasons, as older versions of GnuPG // do not always like long IDs. diff --git a/pgp/keysource_test.go b/pgp/keysource_test.go index 58cb32040..187a75b1d 100644 --- a/pgp/keysource_test.go +++ b/pgp/keysource_test.go @@ -271,7 +271,7 @@ func TestMasterKey_encryptWithGnuPG(t *testing.T) { args := []string{ "-d", } - err, stdout, stderr := gpgExec(key.gnuPGHome(), args, strings.NewReader(key.EncryptedKey)) + err, stdout, stderr := gpgExec(key.gnuPGHomeDir, args, strings.NewReader(key.EncryptedKey)) assert.NoError(t, err, stderr.String()) assert.Equal(t, data, stdout.Bytes()) }) @@ -529,24 +529,6 @@ func TestMasterKey_ToMap(t *testing.T) { }, key.ToMap()) } -func TestMasterKey_gnuPGHome(t *testing.T) { - key := &MasterKey{} - - usr, err := user.Current() - if err == nil { - assert.Equal(t, filepath.Join(usr.HomeDir, ".gnupg"), key.gnuPGHome()) - } else { - assert.Equal(t, filepath.Join(os.Getenv("HOME"), ".gnupg"), key.gnuPGHome()) - } - - gnupgHome := "/overwrite/home" - t.Setenv("GNUPGHOME", gnupgHome) - assert.Equal(t, gnupgHome, key.gnuPGHome()) - - key.gnuPGHomeDir = "/home/dir/overwrite" - assert.Equal(t, key.gnuPGHomeDir, key.gnuPGHome()) -} - func TestMasterKey_retrievePubKey(t *testing.T) { t.Run("existing fingerprint", func(t *testing.T) { key := NewMasterKeyFromFingerprint(mockFingerprint) @@ -671,6 +653,22 @@ func Test_gpgBinary(t *testing.T) { assert.Equal(t, overwrite, gpgBinary()) } +func Test_gnuPGHome(t *testing.T) { + usr, err := user.Current() + if err == nil { + assert.Equal(t, filepath.Join(usr.HomeDir, ".gnupg"), gnuPGHome("")) + } else { + assert.Equal(t, filepath.Join(os.Getenv("HOME"), ".gnupg"), gnuPGHome("")) + } + + gnupgHome := "/overwrite/home" + t.Setenv("GNUPGHOME", gnupgHome) + assert.Equal(t, gnupgHome, gnuPGHome("")) + + customP := "/home/dir/overwrite" + assert.Equal(t, customP, gnuPGHome(customP)) +} + func Test_shortenFingerprint(t *testing.T) { shortId := shortenFingerprint(mockFingerprint) assert.Equal(t, "9732075EA221A7EA", shortId) From bc89a1dc1f77233f5633f92c2a5a32b75f2cfd90 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 19 Sep 2023 22:55:03 +0200 Subject: [PATCH 086/135] pgp: remove `--no-default-keyring` argument This argument was confusing and/or misleading, as we do specify a home directory as the next argument. Signed-off-by: Hidde Beydals --- pgp/keysource.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pgp/keysource.go b/pgp/keysource.go index ffeb0b1a2..b968a3046 100644 --- a/pgp/keysource.go +++ b/pgp/keysource.go @@ -562,11 +562,11 @@ func fingerprintIndex(ring openpgp.EntityList) map[string]openpgp.Entity { } // gpgExec runs the provided args with the gpgBinary, while restricting it to -// gnuPGHome. Stdout and stderr can be read from the returned buffers. -// When the command fails, an error is returned. -func gpgExec(gnuPGHome string, args []string, stdin io.Reader) (err error, stdout bytes.Buffer, stderr bytes.Buffer) { - if gnuPGHome != "" { - args = append([]string{"--no-default-keyring", "--homedir", gnuPGHome}, args...) +// homeDir when provided. Stdout and stderr can be read from the returned +// buffers. When the command fails, an error is returned. +func gpgExec(homeDir string, args []string, stdin io.Reader) (err error, stdout bytes.Buffer, stderr bytes.Buffer) { + if homeDir != "" { + args = append([]string{"--homedir", homeDir}, args...) } cmd := exec.Command(gpgBinary(), args...) From 757ac2541f4df0d80c999ce9c09ad8d1a894b0b6 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sat, 16 Sep 2023 14:07:29 +0200 Subject: [PATCH 087/135] Delete sops encrypted file we don't have keys for. Signed-off-by: Felix Fontein --- stores/json/test_resources/example.json | 33 ------------------------- 1 file changed, 33 deletions(-) delete mode 100644 stores/json/test_resources/example.json diff --git a/stores/json/test_resources/example.json b/stores/json/test_resources/example.json deleted file mode 100644 index 594f99d42..000000000 --- a/stores/json/test_resources/example.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "example_key": "ENC[AES256_GCM,data:Xjen3YMQYCBfTU8VjA==,iv:1NUKversqeQiuTmAkZuyd6UY2AWiBS4owa4QHnwKOBM=,tag:ZO+Aln5DQ5Qm/QV2uBdahA==,type:str]", - "example_array": [ - "ENC[AES256_GCM,data:XJR0qvZuifm8j1TIQB8=,iv:QUkwy1dp0RU0PKEAw/VxVe1ZsQ972c8gPMJoVKgMfuw=,tag:LGdwC5nTua4rSe0dLbbA1Q==,type:str]", - "ENC[AES256_GCM,data:7bhghzi5GN/mMqh1vHU=,iv:X5vrd9X7ItIG/RVCn0T7RFhUrTb2YItr3i97EVk9nOY=,tag:vrM058PPOGmWOGPThOP5Ew==,type:str]" - ], - "example_number": "ENC[AES256_GCM,data:w9etQN5r8iCz,iv:YF+1uUlMa4I1C7A0ELpVuMa1yK042uEMhp8y6HiCTDE=,tag:Dmh+AV9sh+ir0M1Txe+v2A==,type:float]", - "example_booleans": [ - "ENC[AES256_GCM,data:/hltsg==,iv:pbAtZ9i8rxFpaFlbwE1KOA+k/TVx5dm0tDtH94GCEVc=,tag:yz3d1pQu9zy5Ra9z2kDcoA==,type:bool]", - "ENC[AES256_GCM,data:HEei0+s=,iv:hgKT5eiYdHn5AqWdNji7vRKfabln90VbLmJqt7A480E=,tag:6pfezzTX/eULebF+32Z2+w==,type:bool]" - ], - "sops": { - "lastmodified": "2016-08-04T23:30:35Z", - "attention": "This section contains key material that should only be modified with extra care. See `sops -h`.", - "unencrypted_suffix": "_unencrypted", - "mac": "ENC[AES256_GCM,data:EK1LkVgW5CBEsGgGc7RkfZlzqWrP2fZe3kG7HbkJ5JFd591oUkbQ6I2uPImkcxf7HjiEHzKPPF5QvNg3+rUxgw6S8pQtumhDbFrfDi8GDS2VVvPR+0fnc2fR5PMGm36bOaQFDNSmgyJzKhMmNL+MtRhH+fMUnHhrnxuN3wfLr4w=,iv:xbNK6wRDVT4xhrP+vP2RIy+uNjZSSzqEJZPOdShn96o=,tag:vT4akR5X6qx5/wJ4dncxtg==,type:str]", - "version": "1.13", - "kms": [ - { - "created_at": "2016-08-04T23:30:35Z", - "enc": "AQECAHgFEiO2dNygC3Rz8PhERCc8Sfhak4g81FUPqQJ0OBcAKgAAAH4wfAYJKoZIhvcNAQcGoG8wbQIBADBoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDPKe5R67LMN3+xAkygIBEIA7F8noZukawV3VLQ/yH3Ep7Ptx8weLFUgVf/ZI6xqSMNvEHIr4+vf2xjBiAyrEF8u/n9nm9PWAdKHszFM=", - "arn": "arn:aws:kms:us-east-1:927034868273:key/e9fc75db-05e9-44c1-9c35-633922bac347" - } - ], - "pgp": [ - { - "fp": "E5297818703249D0C60E19E6824612478D1A4CCD", - "created_at": "2016-08-04T23:30:35Z", - "enc": "-----BEGIN PGP MESSAGE-----\nVersion: GnuPG v1\n\nhQIMA2X8rvoeiASBARAAurTEVS82kqadk68f5ZlwR176S148WYTYxFp5oMC7cVD7\n42+Eo9RzaxbHeO5n7XKX0SDOUUeCucFl8fwuDUV1iDIx4/u5HgWXxDuvWoNe5cAL\n4LBS1Er2ZBVAdU0WHZ/8USuZLhSu7ucAHOvqNpHzPT6gkuBUYLQKOu0c+onWHqVO\n1DhfkTtvphotZ0ZBBR099t5N8ofD0W2+SM268A9/bB5yQcK9Ig/KxZBrfmMQm7zx\n9hLVQhcBmj0OQG37K4/SXGwjrQFarh6lm+FuZM0Q+GI+OARoAKdpZOnPEhXKE6un\nSEa69rh5FKVM/XRp2/QVZEakzRtq3gi9CtYL2sNr7KEnCvxt/v2pEc6evfIvxWTc\nT8MWdk48FkVjdsJ34sNiIM8msstnYorse8RZny9gcLE+A5lsRavo2QPL4GADyHF8\n7kwijSVDd08nByTBMMEPpMozUFhzF8QuVZPD+siuUvi+Bned9MmqgGMfvhS0Kf38\nMZFy5C6e38VGEX3IrWChvzbBm/M3fjs1fPVDShHfk1MYsCU9sXNQMQVewWE0s/em\nklycIL3hywd4N9z1MVW2hBpRrC247PtGQRKGoB9qbKtSgjTtgM7bo1vYekeY1tjr\nBGTHNFV+FBqFih16u/rGVzIaBsf5lLL/RtpaFZx1OWHMd9XjQpRrHhjOMpQ8tjvS\nXgGH59vv/9GNZ+Rix1QF+iMD84sfkyyguGKwg+TC3m275v+HIO1NvNdU6oS3O/Xq\nBCBV3yYAUwcrWUPWCuSUHJbuHKJEI1ymXUu8+RUElPyi/5JEhW+J1WlVPvnG1Xk=\n=Q/XA\n-----END PGP MESSAGE-----\n" - } - ] - } -} \ No newline at end of file From c7001db94100444c2508cadcd44ca0b51e8ce3db Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sat, 16 Sep 2023 15:03:46 +0200 Subject: [PATCH 088/135] Improve handling of errors when binary store handles bad data Makes sure that the 'data' key refers to strings. Also improves error messages, and on CLI hints at the --output-type option. Signed-off-by: Felix Fontein --- cmd/sops/decrypt.go | 11 ++++++ stores/json/store.go | 14 ++++++-- stores/json/store_test.go | 71 ++++++++++++++++++++++++++++++++++++++- 3 files changed, 93 insertions(+), 3 deletions(-) diff --git a/cmd/sops/decrypt.go b/cmd/sops/decrypt.go index 680af4cad..037e77f04 100644 --- a/cmd/sops/decrypt.go +++ b/cmd/sops/decrypt.go @@ -1,14 +1,19 @@ package main import ( + "errors" "fmt" "github.com/getsops/sops/v3" "github.com/getsops/sops/v3/cmd/sops/codes" "github.com/getsops/sops/v3/cmd/sops/common" "github.com/getsops/sops/v3/keyservice" + "github.com/getsops/sops/v3/stores/json" ) +const notBinaryHint = ("This is likely not an encrypted binary file?" + + " If not, use --output-type to select the correct output type.") + type decryptOpts struct { Cipher sops.Cipher InputStore sops.Store @@ -45,6 +50,9 @@ func decrypt(opts decryptOpts) (decryptedFile []byte, err error) { return extract(tree, opts.Extract, opts.OutputStore) } decryptedFile, err = opts.OutputStore.EmitPlainFile(tree.Branches) + if errors.Is(err, json.BinaryStoreEmitPlainError) { + err = fmt.Errorf("%s\n\n%s", err.Error(), notBinaryHint) + } if err != nil { return nil, common.NewExitError(fmt.Sprintf("Error dumping file: %s", err), codes.ErrorDumpingTree) } @@ -59,6 +67,9 @@ func extract(tree *sops.Tree, path []interface{}, outputStore sops.Store) (outpu if newBranch, ok := v.(sops.TreeBranch); ok { tree.Branches[0] = newBranch decrypted, err := outputStore.EmitPlainFile(tree.Branches) + if errors.Is(err, json.BinaryStoreEmitPlainError) { + err = fmt.Errorf("%s\n\n%s", err.Error(), notBinaryHint) + } if err != nil { return nil, common.NewExitError(fmt.Sprintf("Error dumping file: %s", err), codes.ErrorDumpingTree) } diff --git a/stores/json/store.go b/stores/json/store.go index 1b18300f7..81b8bfead 100644 --- a/stores/json/store.go +++ b/stores/json/store.go @@ -3,6 +3,7 @@ package json //import "github.com/getsops/sops/v3/stores/json" import ( "bytes" "encoding/json" + "errors" "fmt" "io" @@ -42,15 +43,24 @@ func (store BinaryStore) EmitEncryptedFile(in sops.Tree) ([]byte, error) { return store.store.EmitEncryptedFile(in) } +var BinaryStoreEmitPlainError = errors.New("error emitting binary store") + // EmitPlainFile produces plaintext json file's bytes from its corresponding sops.TreeBranches object func (store BinaryStore) EmitPlainFile(in sops.TreeBranches) ([]byte, error) { + if len(in) != 1 { + return nil, fmt.Errorf("%w: there must be exactly one tree branch", BinaryStoreEmitPlainError) + } // JSON stores a single object per file for _, item := range in[0] { if item.Key == "data" { - return []byte(item.Value.(string)), nil + if value, ok := item.Value.(string); ok { + return []byte(value), nil + } else { + return nil, fmt.Errorf("%w: 'data' key in tree does not have a string value", BinaryStoreEmitPlainError) + } } } - return nil, fmt.Errorf("No binary data found in tree") + return nil, fmt.Errorf("%w: no binary data found in tree", BinaryStoreEmitPlainError) } // EmitValue extracts a value from a generic interface{} object representing a structured set diff --git a/stores/json/store_test.go b/stores/json/store_test.go index d9dd82733..be5e30be3 100644 --- a/stores/json/store_test.go +++ b/stores/json/store_test.go @@ -3,8 +3,8 @@ package json import ( "testing" - "github.com/stretchr/testify/assert" "github.com/getsops/sops/v3" + "github.com/stretchr/testify/assert" ) func TestDecodeJSON(t *testing.T) { @@ -320,6 +320,75 @@ func TestLoadJSONFormattedBinaryFile(t *testing.T) { assert.Equal(t, "data", branches[0][0].Key) } +func TestEmitBinaryFile(t *testing.T) { + store := BinaryStore{} + data, err := store.EmitPlainFile(sops.TreeBranches{ + sops.TreeBranch{ + sops.TreeItem{ + Key: "data", + Value: "foo", + }, + }, + }) + assert.Nil(t, err) + assert.Equal(t, []byte("foo"), data) +} + +func TestEmitBinaryFileWrongBranches(t *testing.T) { + store := BinaryStore{} + data, err := store.EmitPlainFile(sops.TreeBranches{ + sops.TreeBranch{ + sops.TreeItem{ + Key: "data", + Value: "bar", + }, + }, + sops.TreeBranch{ + sops.TreeItem{ + Key: "data", + Value: "bar", + }, + }, + }) + assert.Nil(t, data) + assert.Contains(t, err.Error(), "there must be exactly one tree branch") + + data, err = store.EmitPlainFile(sops.TreeBranches{}) + assert.Nil(t, data) + assert.Contains(t, err.Error(), "there must be exactly one tree branch") +} + +func TestEmitBinaryFileNoData(t *testing.T) { + store := BinaryStore{} + data, err := store.EmitPlainFile(sops.TreeBranches{ + sops.TreeBranch{ + sops.TreeItem{ + Key: "foo", + Value: "bar", + }, + }, + }) + assert.Nil(t, data) + assert.Contains(t, err.Error(), "no binary data found in tree") +} + +func TestEmitBinaryFileWrongDataType(t *testing.T) { + store := BinaryStore{} + data, err := store.EmitPlainFile(sops.TreeBranches{ + sops.TreeBranch{ + sops.TreeItem{ + Key: "data", + Value: sops.TreeItem{ + Key: "foo", + Value: "bar", + }, + }, + }, + }) + assert.Nil(t, data) + assert.Contains(t, err.Error(), "'data' key in tree does not have a string value") +} + func TestEmitValueString(t *testing.T) { bytes, err := (&Store{}).EmitValue("hello") assert.Nil(t, err) From 591498d433c644d23eb8c594359f4cc629cfe8bf Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sat, 16 Sep 2023 15:38:26 +0200 Subject: [PATCH 089/135] On macOS, prefer XDG_CONFIG_HOME over os.UserConfigDir() Signed-off-by: Felix Fontein --- age/keysource.go | 16 ++++++++++++++-- age/keysource_test.go | 16 ++++++++++++++-- 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/age/keysource.go b/age/keysource.go index a83d1a5c2..9ee6be491 100644 --- a/age/keysource.go +++ b/age/keysource.go @@ -7,6 +7,7 @@ import ( "io" "os" "path/filepath" + "runtime" "strings" "filippo.io/age" @@ -23,8 +24,10 @@ const ( // age keys file. SopsAgeKeyFileEnv = "SOPS_AGE_KEY_FILE" // SopsAgeKeyUserConfigPath is the default age keys file path in - // os.UserConfigDir. + // getUserConfigDir(). SopsAgeKeyUserConfigPath = "sops/age/keys.txt" + // On macOS, os.UserConfigDir() ignores XDG_CONFIG_HOME. So we handle that manually. + xdgConfigHome = "XDG_CONFIG_HOME" ) // log is the global logger for any age MasterKey. @@ -222,6 +225,15 @@ func (key *MasterKey) ToMap() map[string]interface{} { return out } +func getUserConfigDir() (string, error) { + if runtime.GOOS == "darwin" { + if userConfigDir, ok := os.LookupEnv(xdgConfigHome); ok && userConfigDir != "" { + return userConfigDir, nil + } + } + return os.UserConfigDir() +} + // loadIdentities attempts to load the age identities based on runtime // environment configurations (e.g. SopsAgeKeyEnv, SopsAgeKeyFileEnv, // SopsAgeKeyUserConfigPath). It will load all found references, and expects @@ -242,7 +254,7 @@ func (key *MasterKey) loadIdentities() (ParsedIdentities, error) { readers[SopsAgeKeyFileEnv] = f } - userConfigDir, err := os.UserConfigDir() + userConfigDir, err := getUserConfigDir() if err != nil && len(readers) == 0 { return nil, fmt.Errorf("user config directory could not be determined: %w", err) } diff --git a/age/keysource_test.go b/age/keysource_test.go index dd56351ea..62d0fcf78 100644 --- a/age/keysource_test.go +++ b/age/keysource_test.go @@ -380,11 +380,23 @@ func overwriteUserConfigDir(t *testing.T, path string) { switch runtime.GOOS { case "windows": t.Setenv("AppData", path) - case "darwin", "ios": // This adds "/Library/Application Support" as a suffix to $HOME - t.Setenv("HOME", path) case "plan9": // This adds "/lib" as a suffix to $home t.Setenv("home", path) default: // Unix t.Setenv("XDG_CONFIG_HOME", path) } } + +// Make sure that on all supported platforms but Windows, XDG_CONFIG_HOME +// can be used to specify the user's home directory. For most platforms +// this is handled by Go's os.UserConfigDir(), but for Darwin our code +// in getUserConfigDir() handles this explicitly. +func TestUserConfigDir(t *testing.T) { + if runtime.GOOS != "windows" { + const dir = "/test/home/dir" + t.Setenv("XDG_CONFIG_HOME", dir) + home, err := getUserConfigDir() + assert.Nil(t, err) + assert.Equal(t, home, dir) + } +} From 49298c39fdd6915917fbdb23e39de5c53dc54339 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sat, 16 Sep 2023 15:16:07 +0200 Subject: [PATCH 090/135] Reject completely empty documents. This only affects empty YAML files, since only these can contain zero documents. Signed-off-by: Felix Fontein --- cmd/sops/codes/codes.go | 1 + cmd/sops/encrypt.go | 3 +++ 2 files changed, 4 insertions(+) diff --git a/cmd/sops/codes/codes.go b/cmd/sops/codes/codes.go index e431bd778..7aea67e80 100644 --- a/cmd/sops/codes/codes.go +++ b/cmd/sops/codes/codes.go @@ -21,6 +21,7 @@ const ( ConfigFileNotFound int = 61 KeyboardInterrupt int = 85 InvalidTreePathFormat int = 91 + NeedAtLeastOneDocument int = 92 NoFileSpecified int = 100 CouldNotRetrieveKey int = 128 NoEncryptionKeyFound int = 111 diff --git a/cmd/sops/encrypt.go b/cmd/sops/encrypt.go index cfb16ab18..f5b770e7a 100644 --- a/cmd/sops/encrypt.go +++ b/cmd/sops/encrypt.go @@ -64,6 +64,9 @@ func encrypt(opts encryptOpts) (encryptedFile []byte, err error) { if err != nil { return nil, common.NewExitError(fmt.Sprintf("Error unmarshalling file: %s", err), codes.CouldNotReadInputFile) } + if len(branches) < 1 { + return nil, common.NewExitError("File cannot be completely empty, it must contain at least one document", codes.NeedAtLeastOneDocument) + } if err := ensureNoMetadata(opts, branches[0]); err != nil { return nil, common.NewExitError(err, codes.FileAlreadyEncrypted) } From 6fd47e2c5c59fa4a4803de32e575414cd746f380 Mon Sep 17 00:00:00 2001 From: Mitar Date: Fri, 22 Sep 2023 11:20:35 +0200 Subject: [PATCH 091/135] Fix descriptions of unencrypted-regex and encrypted-regex flags. Signed-off-by: Mitar --- cmd/sops/main.go | 4 ++-- config/config.go | 5 ++++- config/config_test.go | 15 +++++++++++---- 3 files changed, 17 insertions(+), 7 deletions(-) diff --git a/cmd/sops/main.go b/cmd/sops/main.go index 6615d7b82..96b27e817 100644 --- a/cmd/sops/main.go +++ b/cmd/sops/main.go @@ -678,11 +678,11 @@ func main() { }, cli.StringFlag{ Name: "unencrypted-regex", - Usage: "set the unencrypted key suffix. When specified, only keys matching the regex will be left unencrypted.", + Usage: "set the unencrypted key regex. When specified, only keys matching the regex will be left unencrypted.", }, cli.StringFlag{ Name: "encrypted-regex", - Usage: "set the encrypted key suffix. When specified, only keys matching the regex will be encrypted.", + Usage: "set the encrypted key regex. When specified, only keys matching the regex will be encrypted.", }, cli.StringFlag{ Name: "config", diff --git a/config/config.go b/config/config.go index 311604634..c2475a2b9 100644 --- a/config/config.go +++ b/config/config.go @@ -242,12 +242,15 @@ func configFromRule(rule *creationRule, kmsEncryptionContext map[string]*string) if rule.EncryptedSuffix != "" { cryptRuleCount++ } + if rule.UnencryptedRegex != "" { + cryptRuleCount++ + } if rule.EncryptedRegex != "" { cryptRuleCount++ } if cryptRuleCount > 1 { - return nil, fmt.Errorf("error loading config: cannot use more than one of encrypted_suffix, unencrypted_suffix, or encrypted_regex for the same rule") + return nil, fmt.Errorf("error loading config: cannot use more than one of encrypted_suffix, unencrypted_suffix, encrypted_regex, or unencrypted_regex for the same rule") } groups, err := getKeyGroupsFromCreationRule(rule, kmsEncryptionContext) diff --git a/config/config_test.go b/config/config_test.go index a653fcb8e..4c43686c0 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -140,12 +140,19 @@ creation_rules: version: fooversion `) -var sampleConfigWithRegexParameters = []byte(` +var sampleConfigWithEncryptedRegexParameters = []byte(` creation_rules: - path_regex: barbar* kms: "1" pgp: "2" encrypted_regex: "^enc:" + `) + +var sampleConfigWithUnencryptedRegexParameters = []byte(` +creation_rules: + - path_regex: barbar* + kms: "1" + pgp: "2" unencrypted_regex: "^dec:" `) @@ -226,7 +233,7 @@ creation_rules: var sampleConfigWithComplicatedRegexp = []byte(` creation_rules: - path_regex: "stage/dev/feature-.*" - kms: dev-feature + kms: dev-feature - path_regex: "stage/dev/.*" kms: dev - path_regex: "stage/staging/.*" @@ -396,13 +403,13 @@ func TestLoadConfigFileWithEncryptedSuffix(t *testing.T) { } func TestLoadConfigFileWithUnencryptedRegex(t *testing.T) { - conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithRegexParameters, t), "/conf/path", "barbar", nil) + conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithUnencryptedRegexParameters, t), "/conf/path", "barbar", nil) assert.Equal(t, nil, err) assert.Equal(t, "^dec:", conf.UnencryptedRegex) } func TestLoadConfigFileWithEncryptedRegex(t *testing.T) { - conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithRegexParameters, t), "/conf/path", "barbar", nil) + conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithEncryptedRegexParameters, t), "/conf/path", "barbar", nil) assert.Equal(t, nil, err) assert.Equal(t, "^enc:", conf.EncryptedRegex) } From 82e482f5bd1defb9f24cf87d9a02057d2a22f51a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Sep 2023 08:18:18 +0000 Subject: [PATCH 092/135] build(deps): Bump the go group with 4 updates Bumps the go group with 4 updates: [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2), [github.com/aws/aws-sdk-go-v2/feature/s3/manager](https://github.com/aws/aws-sdk-go-v2), [google.golang.org/api](https://github.com/googleapis/google-api-go-client) and [google.golang.org/grpc](https://github.com/grpc/grpc-go). Updates `github.com/aws/aws-sdk-go-v2/config` from 1.18.39 to 1.18.42 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.18.39...config/v1.18.42) Updates `github.com/aws/aws-sdk-go-v2/feature/s3/manager` from 1.11.83 to 1.11.87 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/feature/s3/manager/v1.11.83...feature/s3/manager/v1.11.87) Updates `google.golang.org/api` from 0.141.0 to 0.143.0 - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.141.0...v0.143.0) Updates `google.golang.org/grpc` from 1.58.1 to 1.58.2 - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.58.1...v1.58.2) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/feature/s3/manager dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go ... Signed-off-by: dependabot[bot] --- go.mod | 28 ++++++++++++++-------------- go.sum | 56 ++++++++++++++++++++++++++++---------------------------- 2 files changed, 42 insertions(+), 42 deletions(-) diff --git a/go.mod b/go.mod index fb0bf6aad..34242d642 100644 --- a/go.mod +++ b/go.mod @@ -11,12 +11,12 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1 github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 github.com/aws/aws-sdk-go-v2 v1.21.0 - github.com/aws/aws-sdk-go-v2/config v1.18.39 - github.com/aws/aws-sdk-go-v2/credentials v1.13.37 - github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.83 + github.com/aws/aws-sdk-go-v2/config v1.18.42 + github.com/aws/aws-sdk-go-v2/credentials v1.13.40 + github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.87 github.com/aws/aws-sdk-go-v2/service/kms v1.24.5 - github.com/aws/aws-sdk-go-v2/service/s3 v1.38.5 - github.com/aws/aws-sdk-go-v2/service/sts v1.21.5 + github.com/aws/aws-sdk-go-v2/service/s3 v1.40.0 + github.com/aws/aws-sdk-go-v2/service/sts v1.22.0 github.com/blang/semver v3.5.1+incompatible github.com/fatih/color v1.15.0 github.com/getsops/gopgagent v0.0.0-20170926210634-4d7ea76ff71a @@ -37,9 +37,9 @@ require ( golang.org/x/net v0.15.0 golang.org/x/sys v0.12.0 golang.org/x/term v0.12.0 - google.golang.org/api v0.141.0 - google.golang.org/genproto/googleapis/rpc v0.0.0-20230913181813-007df8e322eb - google.golang.org/grpc v1.58.1 + google.golang.org/api v0.143.0 + google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13 + google.golang.org/grpc v1.58.2 google.golang.org/protobuf v1.31.0 gopkg.in/ini.v1 v1.67.0 gopkg.in/yaml.v3 v3.0.1 @@ -60,14 +60,14 @@ require ( github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.3.42 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.3.43 // indirect github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.4 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.14 // indirect github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.36 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35 // indirect github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.4 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.13.6 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.6 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.14.1 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.1 // indirect github.com/aws/smithy-go v1.14.2 // indirect github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/cenkalti/backoff/v4 v4.1.3 // indirect @@ -85,7 +85,7 @@ require ( github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/google/s2a-go v0.1.7 // indirect github.com/google/uuid v1.3.1 // indirect - github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.3.1 // indirect github.com/googleapis/gax-go/v2 v2.12.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-hclog v1.2.1 // indirect @@ -124,8 +124,8 @@ require ( golang.org/x/tools v0.7.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5 // indirect + google.golang.org/genproto v0.0.0-20230913181813-007df8e322eb // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20230913181813-007df8e322eb // indirect gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect ) diff --git a/go.sum b/go.sum index 5c92b4553..52c87f4b2 100644 --- a/go.sum +++ b/go.sum @@ -40,20 +40,20 @@ github.com/aws/aws-sdk-go-v2 v1.21.0 h1:gMT0IW+03wtYJhRqTVYn0wLzwdnK9sRMcxmtfGzR github.com/aws/aws-sdk-go-v2 v1.21.0/go.mod h1:/RfNgGmRxI+iFOB1OeJUyxiU+9s88k3pfHvDagGEp0M= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.13 h1:OPLEkmhXf6xFPiz0bLeDArZIDx1NNS4oJyG4nv3Gct0= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.13/go.mod h1:gpAbvyDGQFozTEmlTFO8XcQKHzubdq0LzRyJpG6MiXM= -github.com/aws/aws-sdk-go-v2/config v1.18.39 h1:oPVyh6fuu/u4OiW4qcuQyEtk7U7uuNBmHmJSLg1AJsQ= -github.com/aws/aws-sdk-go-v2/config v1.18.39/go.mod h1:+NH/ZigdPckFpgB1TRcRuWCB/Kbbvkxc/iNAKTq5RhE= -github.com/aws/aws-sdk-go-v2/credentials v1.13.37 h1:BvEdm09+ZEh2XtN+PVHPcYwKY3wIeB6pw7vPRM4M9/U= -github.com/aws/aws-sdk-go-v2/credentials v1.13.37/go.mod h1:ACLrdkd4CLZyXOghZ8IYumQbcooAcp2jo/s2xsFH8IM= +github.com/aws/aws-sdk-go-v2/config v1.18.42 h1:28jHROB27xZwU0CB88giDSjz7M1Sba3olb5JBGwina8= +github.com/aws/aws-sdk-go-v2/config v1.18.42/go.mod h1:4AZM3nMMxwlG+eZlxvBKqwVbkDLlnN2a4UGTL6HjaZI= +github.com/aws/aws-sdk-go-v2/credentials v1.13.40 h1:s8yOkDh+5b1jUDhMBtngF6zKWLDs84chUk2Vk0c38Og= +github.com/aws/aws-sdk-go-v2/credentials v1.13.40/go.mod h1:VtEHVAAqDWASwdOqj/1huyT6uHbs5s8FUHfDQdky/Rs= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11 h1:uDZJF1hu0EVT/4bogChk8DyjSF6fof6uL/0Y26Ma7Fg= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11/go.mod h1:TEPP4tENqBGO99KwVpV9MlOX4NSrSLP8u3KRy2CDwA8= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.83 h1:wcluDLIQ0uYaxv0fCWQRimbXkPdTgWHUD21j1CzXEwc= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.83/go.mod h1:nGCBuon134gW67yAtxHKV73x+tAcY/xG4ZPNPDB1h/I= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.87 h1:e20ZrsgDPUXqg8+rZVuPwNSp6yniUN2Yr2tzFZ+Yvl0= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.87/go.mod h1:0i0TAT6W+5i48QTlDU2KmY6U2hBZeY/LCP0wktya2oc= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41 h1:22dGT7PneFMx4+b3pz7lMTRyN8ZKH7M2cW4GP9yUS2g= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41/go.mod h1:CrObHAuPneJBlfEJ5T3szXOUkLEThaGfvnhTf33buas= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35 h1:SijA0mgjV8E+8G45ltVHs0fvKpTj8xmZJ3VwhGKtUSI= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35/go.mod h1:SJC1nEVVva1g3pHAIdCp7QsRIkMmLAgoDquQ9Rr8kYw= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.42 h1:GPUcE/Yq7Ur8YSUk6lVkoIMWnJNO0HT18GUzCWCgCI0= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.42/go.mod h1:rzfdUlfA+jdgLDmPKjd3Chq9V7LVLYo1Nz++Wb91aRo= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.43 h1:g+qlObJH4Kn4n21g69DjspU0hKTjWtq7naZ9OLCv0ew= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.43/go.mod h1:rzfdUlfA+jdgLDmPKjd3Chq9V7LVLYo1Nz++Wb91aRo= github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.4 h1:6lJvvkQ9HmbHZ4h/IEwclwv2mrTW8Uq1SOB/kXy0mfw= github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.4/go.mod h1:1PrKYwxTM+zjpw9Y41KFtoJCQrJ34Z47Y4VgVbfndjo= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.14 h1:m0QTSI6pZYJTk5WSKx3fm5cNW/DCicVzULBgU/6IyD0= @@ -66,14 +66,14 @@ github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.4 h1:v0jkRigbSD6uOd github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.4/go.mod h1:LhTyt8J04LL+9cIt7pYJ5lbS/U98ZmXovLOR/4LUsk8= github.com/aws/aws-sdk-go-v2/service/kms v1.24.5 h1:VNEw+EdYDUdkICYAVQ6n9WoAq8ZuZr7dXKjyaOw94/Q= github.com/aws/aws-sdk-go-v2/service/kms v1.24.5/go.mod h1:NZEhPgq+vvmM6L9w+xl78Vf7YxqUcpVULqFdrUhHg8I= -github.com/aws/aws-sdk-go-v2/service/s3 v1.38.5 h1:A42xdtStObqy7NGvzZKpnyNXvoOmm+FENobZ0/ssHWk= -github.com/aws/aws-sdk-go-v2/service/s3 v1.38.5/go.mod h1:rDGMZA7f4pbmTtPOk5v5UM2lmX6UAbRnMDJeDvnH7AM= -github.com/aws/aws-sdk-go-v2/service/sso v1.13.6 h1:2PylFCfKCEDv6PeSN09pC/VUiRd10wi1VfHG5FrW0/g= -github.com/aws/aws-sdk-go-v2/service/sso v1.13.6/go.mod h1:fIAwKQKBFu90pBxx07BFOMJLpRUGu8VOzLJakeY+0K4= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.6 h1:pSB560BbVj9ZlJZF4WYj5zsytWHWKxg+NgyGV4B2L58= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.6/go.mod h1:yygr8ACQRY2PrEcy3xsUI357stq2AxnFM6DIsR9lij4= -github.com/aws/aws-sdk-go-v2/service/sts v1.21.5 h1:CQBFElb0LS8RojMJlxRSo/HXipvTZW2S44Lt9Mk2aYQ= -github.com/aws/aws-sdk-go-v2/service/sts v1.21.5/go.mod h1:VC7JDqsqiwXukYEDjoHh9U0fOJtNWh04FPQz4ct4GGU= +github.com/aws/aws-sdk-go-v2/service/s3 v1.40.0 h1:wl5dxN1NONhTDQD9uaEvNsDRX29cBmGED/nl0jkWlt4= +github.com/aws/aws-sdk-go-v2/service/s3 v1.40.0/go.mod h1:rDGMZA7f4pbmTtPOk5v5UM2lmX6UAbRnMDJeDvnH7AM= +github.com/aws/aws-sdk-go-v2/service/sso v1.14.1 h1:YkNzx1RLS0F5qdf9v1Q8Cuv9NXCL2TkosOxhzlUPV64= +github.com/aws/aws-sdk-go-v2/service/sso v1.14.1/go.mod h1:fIAwKQKBFu90pBxx07BFOMJLpRUGu8VOzLJakeY+0K4= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.1 h1:8lKOidPkmSmfUtiTgtdXWgaKItCZ/g75/jEk6Ql6GsA= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.1/go.mod h1:yygr8ACQRY2PrEcy3xsUI357stq2AxnFM6DIsR9lij4= +github.com/aws/aws-sdk-go-v2/service/sts v1.22.0 h1:s4bioTgjSFRwOoyEFzAVCmFmoowBgjTR8gkrF/sQ4wk= +github.com/aws/aws-sdk-go-v2/service/sts v1.22.0/go.mod h1:VC7JDqsqiwXukYEDjoHh9U0fOJtNWh04FPQz4ct4GGU= github.com/aws/smithy-go v1.14.2 h1:MJU9hqBGbvWZdApzpvoF2WAIJDbtjK2NDJSiJP7HblQ= github.com/aws/smithy-go v1.14.2/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= @@ -172,8 +172,8 @@ github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/enterprise-certificate-proxy v0.2.5 h1:UR4rDjcgpgEnqpIEvkiqTYKBCKLNmlge2eVjoZfySzM= -github.com/googleapis/enterprise-certificate-proxy v0.2.5/go.mod h1:RxW0N9901Cko1VOCW3SXCpWP+mlIEkk2tP7jnHy9a3w= +github.com/googleapis/enterprise-certificate-proxy v0.3.1 h1:SBWmZhjUDRorQxrN0nwzf+AHBxnbFjViHQS4P0yVpmQ= +github.com/googleapis/enterprise-certificate-proxy v0.3.1/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas= github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU= github.com/goware/prefixer v0.0.0-20160118172347-395022866408 h1:Y9iQJfEqnN3/Nce9cOegemcy/9Ai5k3huT6E80F3zaw= @@ -425,8 +425,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -google.golang.org/api v0.141.0 h1:Df6vfMgDoIM6ss0m7H4MPwFwY87WNXHfBIda/Bmfl4E= -google.golang.org/api v0.141.0/go.mod h1:iZqLkdPlXKyG0b90eu6KxVSE4D/ccRF2e/doKD2CnQQ= +google.golang.org/api v0.143.0 h1:o8cekTkqhywkbZT6p1UHJPZ9+9uuCAJs/KYomxZB8fA= +google.golang.org/api v0.143.0/go.mod h1:FoX9DO9hT7DLNn97OuoZAGSDuNAXdJRuGK98rSUgurk= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= @@ -434,19 +434,19 @@ google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCID google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d h1:VBu5YqKPv6XiJ199exd8Br+Aetz+o08F+PLMnwJQHAY= -google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4= -google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5 h1:nIgk/EEq3/YlnmVVXVnm14rC2oxgs1o0ong4sD/rd44= -google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5/go.mod h1:5DZzOUPCLYL3mNkQ0ms0F3EuUNZ7py1Bqeq6sxzI7/Q= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230913181813-007df8e322eb h1:Isk1sSH7bovx8Rti2wZK0UZF6oraBDK74uoyLEEVFN0= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230913181813-007df8e322eb/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= +google.golang.org/genproto v0.0.0-20230913181813-007df8e322eb h1:XFBgcDwm7irdHTbz4Zk2h7Mh+eis4nfJEFQFYzJzuIA= +google.golang.org/genproto v0.0.0-20230913181813-007df8e322eb/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4= +google.golang.org/genproto/googleapis/api v0.0.0-20230913181813-007df8e322eb h1:lK0oleSc7IQsUxO3U5TjL9DWlsxpEBemh+zpB7IqhWI= +google.golang.org/genproto/googleapis/api v0.0.0-20230913181813-007df8e322eb/go.mod h1:KjSP20unUpOx5kyQUFa7k4OJg0qeJ7DEZflGDu2p6Bk= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13 h1:N3bU/SQDCDyD6R528GJ/PwW9KjYcJA3dgyH+MovAkIM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13/go.mod h1:KSqppvjFjtoCI+KGd4PELB0qLNxdJHRGqRI09mB6pQA= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.58.1 h1:OL+Vz23DTtrrldqHK49FUOPHyY75rvFqJfXC84NYW58= -google.golang.org/grpc v1.58.1/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0= +google.golang.org/grpc v1.58.2 h1:SXUpjxeVF3FKrTYQI4f4KvbGD5u2xccdYdurwowix5I= +google.golang.org/grpc v1.58.2/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= From c8d644e14a8debad8afd3fad06d8c0d11237989f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Sep 2023 10:32:56 +0000 Subject: [PATCH 093/135] build(deps): Bump the ci group with 1 update Bumps the ci group with 1 update: [actions/checkout](https://github.com/actions/checkout). - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/3df4ab11eba7bda6032a0b82a6bb43b11571feac...8ade135a41bc03ea155e62e844d188df1ea18608) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci ... Signed-off-by: dependabot[bot] --- .github/workflows/cli.yml | 4 ++-- .github/workflows/codeql.yml | 2 +- .github/workflows/release.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml index be3fb375f..9abd9cbad 100644 --- a/.github/workflows/cli.yml +++ b/.github/workflows/cli.yml @@ -34,7 +34,7 @@ jobs: id: go - name: Check out code into the Go module directory - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v3.6.0 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3.6.0 - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: @@ -89,7 +89,7 @@ jobs: run: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s -- -y --default-toolchain 1.70.0 - name: Check out code - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v3.6.0 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3.6.0 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 564a959b6..f656ad5b6 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f1a1a0340..0c39f8393 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 with: fetch-depth: 0 From 539d541392085c4caa5b9cdb448c4a762ff44a2e Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Wed, 27 Sep 2023 22:23:25 +0200 Subject: [PATCH 094/135] Fix versions in comments Signed-off-by: Felix Fontein --- .github/workflows/cli.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml index 9abd9cbad..ef5e63a19 100644 --- a/.github/workflows/cli.yml +++ b/.github/workflows/cli.yml @@ -34,7 +34,7 @@ jobs: id: go - name: Check out code into the Go module directory - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3.6.0 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: @@ -89,7 +89,7 @@ jobs: run: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s -- -y --default-toolchain 1.70.0 - name: Check out code - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3.6.0 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: From 2cce4a6f51154f59ca6368c80bb5278a6d28f39e Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Thu, 28 Sep 2023 22:15:30 +0200 Subject: [PATCH 095/135] Handle return values of dec.Token() to improve error messages. Signed-off-by: Felix Fontein --- stores/json/store.go | 12 +++++++++++- stores/json/store_test.go | 15 +++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/stores/json/store.go b/stores/json/store.go index 81b8bfead..16a4b5d05 100644 --- a/stores/json/store.go +++ b/stores/json/store.go @@ -221,7 +221,17 @@ func (store Store) jsonFromTreeBranch(branch sops.TreeBranch) ([]byte, error) { func (store Store) treeBranchFromJSON(in []byte) (sops.TreeBranch, error) { dec := json.NewDecoder(bytes.NewReader(in)) - dec.Token() + value, err := dec.Token() + if err != nil { + return nil, err + } + if delim, ok := value.(json.Delim); ok { + if delim.String() != "{" { + return nil, fmt.Errorf("Expected JSON object start, got delimiter %s instead", value) + } + } else { + return nil, fmt.Errorf("Expected JSON object start, got %#v of type %T instead", value, value) + } return store.treeBranchFromJSONDecoder(dec) } diff --git a/stores/json/store_test.go b/stores/json/store_test.go index be5e30be3..311276d0d 100644 --- a/stores/json/store_test.go +++ b/stores/json/store_test.go @@ -130,6 +130,21 @@ func TestDecodeNumber(t *testing.T) { in := `42` _, err := Store{}.treeBranchFromJSON([]byte(in)) assert.NotNil(t, err) + assert.Equal(t, "Expected JSON object start, got 42 of type float64 instead", err.Error()) +} + +func TestDecodeArray(t *testing.T) { + in := ` [42] ` + _, err := Store{}.treeBranchFromJSON([]byte(in)) + assert.NotNil(t, err) + assert.Equal(t, "Expected JSON object start, got delimiter [ instead", err.Error()) +} + +func TestDecodeEmpty(t *testing.T) { + in := `` + _, err := Store{}.treeBranchFromJSON([]byte(in)) + assert.NotNil(t, err) + assert.Equal(t, "EOF", err.Error()) } func TestDecodeNestedJSONObject(t *testing.T) { From ce2ec6942aa6fdc9ef8c913035637afdeca7d597 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Fri, 29 Sep 2023 13:06:30 +0200 Subject: [PATCH 096/135] Make error the last return value Signed-off-by: Felix Fontein --- pgp/keysource.go | 8 ++++---- pgp/keysource_test.go | 12 ++++++------ 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/pgp/keysource.go b/pgp/keysource.go index b968a3046..9a5bec5da 100644 --- a/pgp/keysource.go +++ b/pgp/keysource.go @@ -131,7 +131,7 @@ func (d GnuPGHome) Import(armoredKey []byte) error { } args := []string{"--batch", "--import"} - err, _, stderr := gpgExec(d.String(), args, bytes.NewReader(armoredKey)) + _, stderr, err := gpgExec(d.String(), args, bytes.NewReader(armoredKey)) if err != nil { return fmt.Errorf("failed to import armored key data into GnuPG keyring: %s", strings.TrimSpace(stderr.String())) } @@ -318,7 +318,7 @@ func (key *MasterKey) encryptWithGnuPG(dataKey []byte) error { fingerprint, "--no-encrypt-to", } - err, stdout, stderr := gpgExec(key.gnuPGHomeDir, args, bytes.NewReader(dataKey)) + stdout, stderr, err := gpgExec(key.gnuPGHomeDir, args, bytes.NewReader(dataKey)) if err != nil { return fmt.Errorf("failed to encrypt sops data key with pgp: %s", strings.TrimSpace(stderr.String())) } @@ -407,7 +407,7 @@ func (key *MasterKey) decryptWithGnuPG() ([]byte, error) { args := []string{ "-d", } - err, stdout, stderr := gpgExec(key.gnuPGHomeDir, args, strings.NewReader(key.EncryptedKey)) + stdout, stderr, err := gpgExec(key.gnuPGHomeDir, args, strings.NewReader(key.EncryptedKey)) if err != nil { return nil, fmt.Errorf("failed to decrypt sops data key with pgp: %s", strings.TrimSpace(stderr.String())) @@ -564,7 +564,7 @@ func fingerprintIndex(ring openpgp.EntityList) map[string]openpgp.Entity { // gpgExec runs the provided args with the gpgBinary, while restricting it to // homeDir when provided. Stdout and stderr can be read from the returned // buffers. When the command fails, an error is returned. -func gpgExec(homeDir string, args []string, stdin io.Reader) (err error, stdout bytes.Buffer, stderr bytes.Buffer) { +func gpgExec(homeDir string, args []string, stdin io.Reader) (stdout bytes.Buffer, stderr bytes.Buffer, err error) { if homeDir != "" { args = append([]string{"--homedir", homeDir}, args...) } diff --git a/pgp/keysource_test.go b/pgp/keysource_test.go index 187a75b1d..9de3b1af1 100644 --- a/pgp/keysource_test.go +++ b/pgp/keysource_test.go @@ -56,14 +56,14 @@ func TestGnuPGHome_Import(t *testing.T) { assert.NoError(t, err) assert.NoError(t, gnuPGHome.Import(b)) - err, _, stderr := gpgExec(gnuPGHome.String(), []string{"--list-keys", mockFingerprint}, nil) + _, stderr, err := gpgExec(gnuPGHome.String(), []string{"--list-keys", mockFingerprint}, nil) assert.NoErrorf(t, err, stderr.String()) b, err = os.ReadFile(mockPrivateKey) assert.NoError(t, err) assert.NoError(t, gnuPGHome.Import(b)) - err, _, stderr = gpgExec(gnuPGHome.String(), []string{"--list-secret-keys", mockFingerprint}, nil) + _, stderr, err = gpgExec(gnuPGHome.String(), []string{"--list-secret-keys", mockFingerprint}, nil) assert.NoErrorf(t, err, stderr.String()) assert.Error(t, gnuPGHome.Import([]byte("invalid armored data"))) @@ -271,7 +271,7 @@ func TestMasterKey_encryptWithGnuPG(t *testing.T) { args := []string{ "-d", } - err, stdout, stderr := gpgExec(key.gnuPGHomeDir, args, strings.NewReader(key.EncryptedKey)) + stdout, stderr, err := gpgExec(key.gnuPGHomeDir, args, strings.NewReader(key.EncryptedKey)) assert.NoError(t, err, stderr.String()) assert.Equal(t, data, stdout.Bytes()) }) @@ -321,7 +321,7 @@ func TestMasterKey_Decrypt(t *testing.T) { fingerprint := shortenFingerprint(mockFingerprint) data := []byte("this data is absolutely top secret") - err, stdout, stderr := gpgExec(gnuPGHome.String(), []string{ + stdout, stderr, err := gpgExec(gnuPGHome.String(), []string{ "--no-default-recipient", "--yes", "--encrypt", @@ -403,7 +403,7 @@ func TestMasterKey_decryptWithOpenPGP(t *testing.T) { fingerprint := shortenFingerprint(mockFingerprint) data := []byte("this data is absolutely top secret") - err, stdout, stderr := gpgExec(gnuPGHome.String(), []string{ + stdout, stderr, err := gpgExec(gnuPGHome.String(), []string{ "--no-default-recipient", "--yes", "--encrypt", @@ -451,7 +451,7 @@ func TestMasterKey_decryptWithGnuPG(t *testing.T) { fingerprint := shortenFingerprint(mockFingerprint) data := []byte("this data is absolutely top secret") - err, stdout, stderr := gpgExec(gnuPGHome.String(), []string{ + stdout, stderr, err := gpgExec(gnuPGHome.String(), []string{ "--no-default-recipient", "--yes", "--encrypt", From de6e1d531f6098614c90449bc84084b49589e1d7 Mon Sep 17 00:00:00 2001 From: Martin Holst Swende Date: Fri, 29 Sep 2023 10:12:12 +0200 Subject: [PATCH 097/135] pgp: do not require abs path for SopsGpgExecEnv Signed-off-by: Martin Holst Swende --- pgp/keysource.go | 11 +++++------ pgp/keysource_test.go | 4 ++++ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/pgp/keysource.go b/pgp/keysource.go index 9a5bec5da..1dd975feb 100644 --- a/pgp/keysource.go +++ b/pgp/keysource.go @@ -578,14 +578,13 @@ func gpgExec(homeDir string, args []string, stdin io.Reader) (stdout bytes.Buffe } // gpgBinary returns the GnuPG binary which must be used. -// It allows for runtime modifications by setting the environment variable -// SopsGpgExecEnv to the absolute path of the replacement binary. +// It allows for runtime modifications by setting the replacement binary +// via the environment variable SopsGpgExecEnv. func gpgBinary() string { - binary := "gpg" - if envBinary := os.Getenv(SopsGpgExecEnv); envBinary != "" && filepath.IsAbs(envBinary) { - binary = envBinary + if envBinary := os.Getenv(SopsGpgExecEnv); envBinary != "" { + return envBinary } - return binary + return "gpg" } // gnuPGHome determines the GnuPG home directory, and returns its path. diff --git a/pgp/keysource_test.go b/pgp/keysource_test.go index 9de3b1af1..b6145fcef 100644 --- a/pgp/keysource_test.go +++ b/pgp/keysource_test.go @@ -651,6 +651,10 @@ func Test_gpgBinary(t *testing.T) { overwrite := "/some/other/gpg" t.Setenv(SopsGpgExecEnv, overwrite) assert.Equal(t, overwrite, gpgBinary()) + + overwrite = "not_abs_path" + t.Setenv(SopsGpgExecEnv, overwrite) + assert.Equal(t, overwrite, gpgBinary()) } func Test_gnuPGHome(t *testing.T) { From be40257e5c5d51064c524419dffbc1f0a09f5283 Mon Sep 17 00:00:00 2001 From: Lars Lehtonen Date: Tue, 26 Sep 2023 00:07:59 -0700 Subject: [PATCH 098/135] decrypt: fix dropped error Signed-off-by: Lars Lehtonen --- decrypt/decrypt.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/decrypt/decrypt.go b/decrypt/decrypt.go index 874f59e9a..c3b2ba64b 100644 --- a/decrypt/decrypt.go +++ b/decrypt/decrypt.go @@ -59,6 +59,9 @@ func DataWithFormat(data []byte, format Format) (cleartext []byte, err error) { key, tree.Metadata.LastModified.Format(time.RFC3339), ) + if err != nil { + return nil, fmt.Errorf("Failed to decrypt original mac: %w", err) + } if originalMac != mac { return nil, fmt.Errorf("Failed to verify data integrity. expected mac %q, got %q", originalMac, mac) } From 4b65127d1cbd2ce9180766219df847cc1ef82c2f Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Fri, 29 Sep 2023 13:08:36 +0200 Subject: [PATCH 099/135] Ignore irrelevant return value (it is always nil). Signed-off-by: Felix Fontein --- stores/yaml/store.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/stores/yaml/store.go b/stores/yaml/store.go index 1481dff8f..51ce25426 100644 --- a/stores/yaml/store.go +++ b/stores/yaml/store.go @@ -204,9 +204,9 @@ func (store *Store) appendSequence(in []interface{}, sequence *yaml.Node) { } if len(comments) > 0 { if beginning { - comments = store.addCommentsHead(sequence, comments) + store.addCommentsHead(sequence, comments) } else { - comments = store.addCommentsFoot(sequence.Content[len(sequence.Content)-1], comments) + store.addCommentsFoot(sequence.Content[len(sequence.Content)-1], comments) } } } @@ -231,9 +231,9 @@ func (store *Store) appendTreeBranch(branch sops.TreeBranch, mapping *yaml.Node) } if len(comments) > 0 { if beginning { - comments = store.addCommentsHead(mapping, comments) + store.addCommentsHead(mapping, comments) } else { - comments = store.addCommentsFoot(mapping.Content[len(mapping.Content)-2], comments) + store.addCommentsFoot(mapping.Content[len(mapping.Content)-2], comments) } } } From 3fc121d1486934cca51e0bc780c6307f732e7009 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Fri, 29 Sep 2023 13:17:14 +0200 Subject: [PATCH 100/135] Handle unhandled errors. Signed-off-by: Felix Fontein --- cmd/sops/common/common.go | 3 ++ cmd/sops/main.go | 5 ++++ stores/yaml/store.go | 4 +++ stores/yaml/store_test.go | 59 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 71 insertions(+) diff --git a/cmd/sops/common/common.go b/cmd/sops/common/common.go index 907125d28..7beecb8c1 100644 --- a/cmd/sops/common/common.go +++ b/cmd/sops/common/common.go @@ -89,6 +89,9 @@ func DecryptTree(opts DecryptTreeOpts) (dataKey []byte, err error) { } fileMac, err := opts.Cipher.Decrypt(opts.Tree.Metadata.MessageAuthenticationCode, dataKey, opts.Tree.Metadata.LastModified.Format(time.RFC3339)) if !opts.IgnoreMac { + if err != nil { + return nil, NewExitError(fmt.Sprintf("Cannot decrypt MAC: %s", err), codes.MacMismatch) + } if fileMac != computedMac { // If the file has an empty MAC, display "no MAC" instead of not displaying anything if fileMac == "" { diff --git a/cmd/sops/main.go b/cmd/sops/main.go index 96b27e817..1e640c944 100644 --- a/cmd/sops/main.go +++ b/cmd/sops/main.go @@ -1236,6 +1236,11 @@ func extractSetArguments(set string) (path []interface{}, valueToInsert interfac fullPath := strings.TrimRight(pathValuePair[0], " ") jsonValue := pathValuePair[1] valueToInsert, err = jsonValueToTreeInsertableValue(jsonValue) + if err != nil { + // All errors returned by jsonValueToTreeInsertableValue are created by common.NewExitError(), + // so we can simply pass them on + return nil, nil, err + } path, err = parseTreePath(fullPath) if err != nil { diff --git a/stores/yaml/store.go b/stores/yaml/store.go index 51ce25426..29fe2652a 100644 --- a/stores/yaml/store.go +++ b/stores/yaml/store.go @@ -131,6 +131,10 @@ func (store Store) appendYamlNodeToTreeBranch(node *yaml.Node, branch sops.TreeB return nil, fmt.Errorf("YAML documents that are values are not supported") case yaml.AliasNode: branch, err = store.appendYamlNodeToTreeBranch(node.Alias, branch, false) + if err != nil { + // This should never happen since node.Alias was already successfully decoded before + return nil, err + } } if !commentsWereHandled { branch = store.appendCommentToMap(node.FootComment, branch) diff --git a/stores/yaml/store_test.go b/stores/yaml/store_test.go index f37e3deb4..4851068a3 100644 --- a/stores/yaml/store_test.go +++ b/stores/yaml/store_test.go @@ -48,6 +48,59 @@ var BRANCHES = sops.TreeBranches{ }, } +var ALIASES = []byte(`--- +key1: &foo + - foo +key2: *foo +key3: &bar + foo: bar + baz: bam +key4: *bar +`) + +var ALIASES_BRANCHES = sops.TreeBranches{ + sops.TreeBranch{ + sops.TreeItem{ + Key: "key1", + Value: []interface{}{ + "foo", + }, + }, + sops.TreeItem{ + Key: "key2", + Value: []interface{}{ + "foo", + }, + }, + sops.TreeItem{ + Key: "key3", + Value: sops.TreeBranch{ + sops.TreeItem{ + Key: "foo", + Value: "bar", + }, + sops.TreeItem{ + Key: "baz", + Value: "bam", + }, + }, + }, + sops.TreeItem{ + Key: "key4", + Value: sops.TreeBranch{ + sops.TreeItem{ + Key: "foo", + Value: "bar", + }, + sops.TreeItem{ + Key: "baz", + Value: "bam", + }, + }, + }, + }, +} + var COMMENT_1 = []byte(`# test a: b: null @@ -170,6 +223,12 @@ func TestLoadPlainFile(t *testing.T) { assert.Equal(t, BRANCHES, branches) } +func TestLoadAliasesPlainFile(t *testing.T) { + branches, err := (&Store{}).LoadPlainFile(ALIASES) + assert.Nil(t, err) + assert.Equal(t, ALIASES_BRANCHES, branches) +} + func TestComment1(t *testing.T) { // First iteration: load and store branches, err := (&Store{}).LoadPlainFile(COMMENT_1) From c9cc5f8cf933b830f7da256e3da0f29d5531896f Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Fri, 29 Sep 2023 13:17:22 +0200 Subject: [PATCH 101/135] Defer only after checking err. Signed-off-by: Felix Fontein --- cmd/sops/common/common.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/sops/common/common.go b/cmd/sops/common/common.go index 7beecb8c1..fa54ecc7d 100644 --- a/cmd/sops/common/common.go +++ b/cmd/sops/common/common.go @@ -321,10 +321,10 @@ func FixAWSKMSEncryptionContextBug(opts GenericDecryptOpts, tree *sops.Tree) (*s } file, err := os.Create(opts.InputPath) - defer file.Close() if err != nil { return nil, NewExitError(fmt.Sprintf("Could not open file for writing: %s", err), codes.CouldNotWriteOutputFile) } + defer file.Close() _, err = file.Write(encryptedFile) if err != nil { return nil, err From f298b80b1b1f57f1ce89297aebfedc088bfa5016 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Fri, 29 Sep 2023 13:17:30 +0200 Subject: [PATCH 102/135] Check err for nil in tests. Signed-off-by: Felix Fontein --- kms/keysource_test.go | 1 + pgp/keysource_test.go | 3 +++ 2 files changed, 4 insertions(+) diff --git a/kms/keysource_test.go b/kms/keysource_test.go index 81cd9bbd8..4bed28621 100644 --- a/kms/keysource_test.go +++ b/kms/keysource_test.go @@ -446,6 +446,7 @@ func TestMasterKey_createKMSConfig(t *testing.T) { assert.NoError(t, err) creds, err := cfg.Credentials.Retrieve(context.TODO()) + assert.Nil(t, err) assert.Equal(t, "id", creds.AccessKeyID) assert.Equal(t, "secret", creds.SecretAccessKey) assert.Equal(t, "token", creds.SessionToken) diff --git a/pgp/keysource_test.go b/pgp/keysource_test.go index b6145fcef..b72bf8a92 100644 --- a/pgp/keysource_test.go +++ b/pgp/keysource_test.go @@ -332,6 +332,7 @@ func TestMasterKey_Decrypt(t *testing.T) { fingerprint, "--no-encrypt-to", }, bytes.NewReader(data)) + assert.Nil(t, err) assert.NoErrorf(t, gnuPGHome.ImportFile(mockPrivateKey), stderr.String()) encryptedData := stdout.String() @@ -414,6 +415,7 @@ func TestMasterKey_decryptWithOpenPGP(t *testing.T) { fingerprint, "--no-encrypt-to", }, bytes.NewReader(data)) + assert.Nil(t, err) assert.NoErrorf(t, gnuPGHome.ImportFile(mockPrivateKey), stderr.String()) encryptedData := stdout.String() @@ -462,6 +464,7 @@ func TestMasterKey_decryptWithGnuPG(t *testing.T) { fingerprint, "--no-encrypt-to", }, bytes.NewReader(data)) + assert.Nil(t, err) assert.NoErrorf(t, gnuPGHome.ImportFile(mockPrivateKey), stderr.String()) encryptedData := stdout.String() From a9848bad248d5c87f40f04ddfd3a9113c285cd6e Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sun, 8 Oct 2023 15:30:56 +0200 Subject: [PATCH 103/135] Report key rotation errors. Signed-off-by: Felix Fontein --- cmd/sops/main.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/cmd/sops/main.go b/cmd/sops/main.go index 1e640c944..f175bf10f 100644 --- a/cmd/sops/main.go +++ b/cmd/sops/main.go @@ -904,6 +904,11 @@ func main() { AddMasterKeys: addMasterKeys, RemoveMasterKeys: rmMasterKeys, }) + // While this check is also done below, the `err` in this scope shadows + // the `err` in the outer scope + if err != nil { + return toExitError(err) + } } if c.String("set") != "" { From 6cd3d67a77a6e1169b9c503f4965b43e409fec30 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sun, 8 Oct 2023 15:37:26 +0200 Subject: [PATCH 104/135] Make sure to wrap raw errors with toExitError(). Signed-off-by: Felix Fontein --- cmd/sops/main.go | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/cmd/sops/main.go b/cmd/sops/main.go index f175bf10f..261c8421d 100644 --- a/cmd/sops/main.go +++ b/cmd/sops/main.go @@ -282,14 +282,14 @@ func main() { path := c.Args()[0] info, err := os.Stat(path) if err != nil { - return err + return toExitError(err) } if info.IsDir() && !c.Bool("recursive") { return fmt.Errorf("can't operate on a directory without --recursive flag.") } err = filepath.Walk(path, func(subPath string, info os.FileInfo, err error) error { if err != nil { - return err + return toExitError(err) } if !info.IsDir() { err = publishcmd.Run(publishcmd.Opts{ @@ -312,7 +312,7 @@ func main() { return nil }) if err != nil { - return err + return toExitError(err) } return nil }, @@ -842,21 +842,21 @@ func main() { } azureKeys, err := azkv.MasterKeysFromURLs(c.String("add-azure-kv")) if err != nil { - return err + return toExitError(err) } for _, k := range azureKeys { addMasterKeys = append(addMasterKeys, k) } hcVaultKeys, err := hcvault.NewMasterKeysFromURIs(c.String("add-hc-vault-transit")) if err != nil { - return err + return toExitError(err) } for _, k := range hcVaultKeys { addMasterKeys = append(addMasterKeys, k) } ageKeys, err := age.MasterKeysFromRecipients(c.String("add-age")) if err != nil { - return err + return toExitError(err) } for _, k := range ageKeys { addMasterKeys = append(addMasterKeys, k) @@ -874,21 +874,21 @@ func main() { } azureKeys, err = azkv.MasterKeysFromURLs(c.String("rm-azure-kv")) if err != nil { - return err + return toExitError(err) } for _, k := range azureKeys { rmMasterKeys = append(rmMasterKeys, k) } hcVaultKeys, err = hcvault.NewMasterKeysFromURIs(c.String("rm-hc-vault-transit")) if err != nil { - return err + return toExitError(err) } for _, k := range hcVaultKeys { rmMasterKeys = append(rmMasterKeys, k) } ageKeys, err = age.MasterKeysFromRecipients(c.String("rm-age")) if err != nil { - return err + return toExitError(err) } for _, k := range ageKeys { rmMasterKeys = append(rmMasterKeys, k) From ffcacf0a89b446729aa6d11876bce73f8ffb0efe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Oct 2023 09:20:57 +0000 Subject: [PATCH 105/135] build(deps): Bump the go group with 7 updates Bumps the go group with 7 updates: | Package | From | To | | --- | --- | --- | | [github.com/Azure/azure-sdk-for-go/sdk/azcore](https://github.com/Azure/azure-sdk-for-go) | `1.7.2` | `1.8.0` | | [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2) | `1.21.0` | `1.21.1` | | [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) | `1.18.42` | `1.18.44` | | [github.com/aws/aws-sdk-go-v2/feature/s3/manager](https://github.com/aws/aws-sdk-go-v2) | `1.11.87` | `1.11.89` | | [github.com/aws/aws-sdk-go-v2/service/kms](https://github.com/aws/aws-sdk-go-v2) | `1.24.5` | `1.24.6` | | [golang.org/x/net](https://github.com/golang/net) | `0.15.0` | `0.16.0` | | [google.golang.org/api](https://github.com/googleapis/google-api-go-client) | `0.143.0` | `0.145.0` | Updates `github.com/Azure/azure-sdk-for-go/sdk/azcore` from 1.7.2 to 1.8.0 - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md) - [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azcore/v1.7.2...sdk/azcore/v1.8.0) Updates `github.com/aws/aws-sdk-go-v2` from 1.21.0 to 1.21.1 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.21.0...v1.21.1) Updates `github.com/aws/aws-sdk-go-v2/config` from 1.18.42 to 1.18.44 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.18.42...config/v1.18.44) Updates `github.com/aws/aws-sdk-go-v2/feature/s3/manager` from 1.11.87 to 1.11.89 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/feature/s3/manager/v1.11.87...feature/s3/manager/v1.11.89) Updates `github.com/aws/aws-sdk-go-v2/service/kms` from 1.24.5 to 1.24.6 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/fms/v1.24.5...service/fsx/v1.24.6) Updates `golang.org/x/net` from 0.15.0 to 0.16.0 - [Commits](https://github.com/golang/net/compare/v0.15.0...v0.16.0) Updates `google.golang.org/api` from 0.143.0 to 0.145.0 - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.143.0...v0.145.0) --- updated-dependencies: - dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azcore dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/feature/s3/manager dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/service/kms dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: golang.org/x/net dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go ... Signed-off-by: dependabot[bot] --- go.mod | 52 ++++++++++++++--------------- go.sum | 104 ++++++++++++++++++++++++++++----------------------------- 2 files changed, 78 insertions(+), 78 deletions(-) diff --git a/go.mod b/go.mod index 34242d642..b6511f7f4 100644 --- a/go.mod +++ b/go.mod @@ -6,17 +6,17 @@ require ( cloud.google.com/go/kms v1.15.2 cloud.google.com/go/storage v1.33.0 filippo.io/age v1.1.1 - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.2 + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1 github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 - github.com/aws/aws-sdk-go-v2 v1.21.0 - github.com/aws/aws-sdk-go-v2/config v1.18.42 - github.com/aws/aws-sdk-go-v2/credentials v1.13.40 - github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.87 - github.com/aws/aws-sdk-go-v2/service/kms v1.24.5 - github.com/aws/aws-sdk-go-v2/service/s3 v1.40.0 - github.com/aws/aws-sdk-go-v2/service/sts v1.22.0 + github.com/aws/aws-sdk-go-v2 v1.21.1 + github.com/aws/aws-sdk-go-v2/config v1.18.44 + github.com/aws/aws-sdk-go-v2/credentials v1.13.42 + github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.89 + github.com/aws/aws-sdk-go-v2/service/kms v1.24.6 + github.com/aws/aws-sdk-go-v2/service/s3 v1.40.1 + github.com/aws/aws-sdk-go-v2/service/sts v1.23.1 github.com/blang/semver v3.5.1+incompatible github.com/fatih/color v1.15.0 github.com/getsops/gopgagent v0.0.0-20170926210634-4d7ea76ff71a @@ -34,10 +34,10 @@ require ( github.com/sirupsen/logrus v1.9.3 github.com/stretchr/testify v1.8.4 github.com/urfave/cli v1.22.14 - golang.org/x/net v0.15.0 - golang.org/x/sys v0.12.0 - golang.org/x/term v0.12.0 - google.golang.org/api v0.143.0 + golang.org/x/net v0.16.0 + golang.org/x/sys v0.13.0 + golang.org/x/term v0.13.0 + google.golang.org/api v0.145.0 google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13 google.golang.org/grpc v1.58.2 google.golang.org/protobuf v1.31.0 @@ -56,19 +56,19 @@ require ( github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect github.com/Microsoft/go-winio v0.6.0 // indirect github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect - github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.13 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.3.43 // indirect - github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.4 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.14 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.36 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.4 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.14.1 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.1 // indirect - github.com/aws/smithy-go v1.14.2 // indirect + github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.12 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.42 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.36 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.3.44 // indirect + github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.5 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.15 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.37 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.36 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.5 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.15.1 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.2 // indirect + github.com/aws/smithy-go v1.15.0 // indirect github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/cenkalti/backoff/v4 v4.1.3 // indirect github.com/cloudflare/circl v1.3.3 // indirect @@ -115,7 +115,7 @@ require ( github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect go.opencensus.io v0.24.0 // indirect - golang.org/x/crypto v0.13.0 // indirect + golang.org/x/crypto v0.14.0 // indirect golang.org/x/mod v0.9.0 // indirect golang.org/x/oauth2 v0.12.0 // indirect golang.org/x/sync v0.3.0 // indirect diff --git a/go.sum b/go.sum index 52c87f4b2..d56735596 100644 --- a/go.sum +++ b/go.sum @@ -13,8 +13,8 @@ cloud.google.com/go/storage v1.33.0 h1:PVrDOkIC8qQVa1P3SXGpQvfuJhN2LHOoyZvWs8D2X cloud.google.com/go/storage v1.33.0/go.mod h1:Hhh/dogNRGca7IWv1RC2YqEn0c0G77ctA/OxflYkiD8= filippo.io/age v1.1.1 h1:pIpO7l151hCnQ4BdyBujnGP2YlUo0uj6sAVNHGBvXHg= filippo.io/age v1.1.1/go.mod h1:l03SrzDUrBkdBx8+IILdnn2KZysqQdbEBUQ4p3sqEQE= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.2 h1:t5+QXLCK9SVi0PPdaY0PrFvYUo24KwA0QwxnaHRSVd4= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.2/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0 h1:9kDVnTz3vbfweTqAUmk/a/pH5pWFCHtvRpHYC0G/dcA= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0/go.mod h1:3Ug6Qzto9anB6mGlEdgYMDF5zHQ+wwhEaYR4s17PHMw= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 h1:LNHhpdK7hzUcx/k1LIcuh5k7k1LGIWLQfCjaneSj7Fc= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1/go.mod h1:uE9zaUfEQT/nbQjVi2IblCG9iaLtZsuYZ8ne+PuQ02M= github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY= @@ -36,46 +36,46 @@ github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8 github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg= github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= -github.com/aws/aws-sdk-go-v2 v1.21.0 h1:gMT0IW+03wtYJhRqTVYn0wLzwdnK9sRMcxmtfGzRdJc= -github.com/aws/aws-sdk-go-v2 v1.21.0/go.mod h1:/RfNgGmRxI+iFOB1OeJUyxiU+9s88k3pfHvDagGEp0M= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.13 h1:OPLEkmhXf6xFPiz0bLeDArZIDx1NNS4oJyG4nv3Gct0= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.13/go.mod h1:gpAbvyDGQFozTEmlTFO8XcQKHzubdq0LzRyJpG6MiXM= -github.com/aws/aws-sdk-go-v2/config v1.18.42 h1:28jHROB27xZwU0CB88giDSjz7M1Sba3olb5JBGwina8= -github.com/aws/aws-sdk-go-v2/config v1.18.42/go.mod h1:4AZM3nMMxwlG+eZlxvBKqwVbkDLlnN2a4UGTL6HjaZI= -github.com/aws/aws-sdk-go-v2/credentials v1.13.40 h1:s8yOkDh+5b1jUDhMBtngF6zKWLDs84chUk2Vk0c38Og= -github.com/aws/aws-sdk-go-v2/credentials v1.13.40/go.mod h1:VtEHVAAqDWASwdOqj/1huyT6uHbs5s8FUHfDQdky/Rs= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11 h1:uDZJF1hu0EVT/4bogChk8DyjSF6fof6uL/0Y26Ma7Fg= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11/go.mod h1:TEPP4tENqBGO99KwVpV9MlOX4NSrSLP8u3KRy2CDwA8= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.87 h1:e20ZrsgDPUXqg8+rZVuPwNSp6yniUN2Yr2tzFZ+Yvl0= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.87/go.mod h1:0i0TAT6W+5i48QTlDU2KmY6U2hBZeY/LCP0wktya2oc= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41 h1:22dGT7PneFMx4+b3pz7lMTRyN8ZKH7M2cW4GP9yUS2g= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41/go.mod h1:CrObHAuPneJBlfEJ5T3szXOUkLEThaGfvnhTf33buas= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35 h1:SijA0mgjV8E+8G45ltVHs0fvKpTj8xmZJ3VwhGKtUSI= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35/go.mod h1:SJC1nEVVva1g3pHAIdCp7QsRIkMmLAgoDquQ9Rr8kYw= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.43 h1:g+qlObJH4Kn4n21g69DjspU0hKTjWtq7naZ9OLCv0ew= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.43/go.mod h1:rzfdUlfA+jdgLDmPKjd3Chq9V7LVLYo1Nz++Wb91aRo= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.4 h1:6lJvvkQ9HmbHZ4h/IEwclwv2mrTW8Uq1SOB/kXy0mfw= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.4/go.mod h1:1PrKYwxTM+zjpw9Y41KFtoJCQrJ34Z47Y4VgVbfndjo= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.14 h1:m0QTSI6pZYJTk5WSKx3fm5cNW/DCicVzULBgU/6IyD0= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.14/go.mod h1:dDilntgHy9WnHXsh7dDtUPgHKEfTJIBUTHM8OWm0f/0= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.36 h1:eev2yZX7esGRjqRbnVk1UxMLw4CyVZDpZXRCcy75oQk= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.36/go.mod h1:lGnOkH9NJATw0XEPcAknFBj3zzNTEGRHtSw+CwC1YTg= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35 h1:CdzPW9kKitgIiLV1+MHobfR5Xg25iYnyzWZhyQuSlDI= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35/go.mod h1:QGF2Rs33W5MaN9gYdEQOBBFPLwTZkEhRwI33f7KIG0o= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.4 h1:v0jkRigbSD6uOdwcaUQmgEwG1BkPfAPDqaeNt/29ghg= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.4/go.mod h1:LhTyt8J04LL+9cIt7pYJ5lbS/U98ZmXovLOR/4LUsk8= -github.com/aws/aws-sdk-go-v2/service/kms v1.24.5 h1:VNEw+EdYDUdkICYAVQ6n9WoAq8ZuZr7dXKjyaOw94/Q= -github.com/aws/aws-sdk-go-v2/service/kms v1.24.5/go.mod h1:NZEhPgq+vvmM6L9w+xl78Vf7YxqUcpVULqFdrUhHg8I= -github.com/aws/aws-sdk-go-v2/service/s3 v1.40.0 h1:wl5dxN1NONhTDQD9uaEvNsDRX29cBmGED/nl0jkWlt4= -github.com/aws/aws-sdk-go-v2/service/s3 v1.40.0/go.mod h1:rDGMZA7f4pbmTtPOk5v5UM2lmX6UAbRnMDJeDvnH7AM= -github.com/aws/aws-sdk-go-v2/service/sso v1.14.1 h1:YkNzx1RLS0F5qdf9v1Q8Cuv9NXCL2TkosOxhzlUPV64= -github.com/aws/aws-sdk-go-v2/service/sso v1.14.1/go.mod h1:fIAwKQKBFu90pBxx07BFOMJLpRUGu8VOzLJakeY+0K4= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.1 h1:8lKOidPkmSmfUtiTgtdXWgaKItCZ/g75/jEk6Ql6GsA= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.1/go.mod h1:yygr8ACQRY2PrEcy3xsUI357stq2AxnFM6DIsR9lij4= -github.com/aws/aws-sdk-go-v2/service/sts v1.22.0 h1:s4bioTgjSFRwOoyEFzAVCmFmoowBgjTR8gkrF/sQ4wk= -github.com/aws/aws-sdk-go-v2/service/sts v1.22.0/go.mod h1:VC7JDqsqiwXukYEDjoHh9U0fOJtNWh04FPQz4ct4GGU= -github.com/aws/smithy-go v1.14.2 h1:MJU9hqBGbvWZdApzpvoF2WAIJDbtjK2NDJSiJP7HblQ= -github.com/aws/smithy-go v1.14.2/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/aws/aws-sdk-go-v2 v1.21.1 h1:wjHYshtPpYOZm+/mu3NhVgRRc0baM6LJZOmxPZ5Cwzs= +github.com/aws/aws-sdk-go-v2 v1.21.1/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14 h1:Sc82v7tDQ/vdU1WtuSyzZ1I7y/68j//HJ6uozND1IDs= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14/go.mod h1:9NCTOURS8OpxvoAVHq79LK81/zC78hfRWFn+aL0SPcY= +github.com/aws/aws-sdk-go-v2/config v1.18.44 h1:U10NQ3OxiY0dGGozmVIENIDnCT0W432PWxk2VO8wGnY= +github.com/aws/aws-sdk-go-v2/config v1.18.44/go.mod h1:pHxnQBldd0heEdJmolLBk78D1Bf69YnKLY3LOpFImlU= +github.com/aws/aws-sdk-go-v2/credentials v1.13.42 h1:KMkjpZqcMOwtRHChVlHdNxTUUAC6NC/b58mRZDIdcRg= +github.com/aws/aws-sdk-go-v2/credentials v1.13.42/go.mod h1:7ltKclhvEB8305sBhrpls24HGxORl6qgnQqSJ314Uw8= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.12 h1:3j5lrl9kVQrJ1BU4O0z7MQ8sa+UXdiLuo4j0V+odNI8= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.12/go.mod h1:JbFpcHDBdsex1zpIKuVRorZSQiZEyc3MykNCcjgz174= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.89 h1:XPqSyw8SBSLMRrF9Oip6tQpivXWJLMn8sdRoAsUCQQA= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.89/go.mod h1:OkYwM7gYm9HieL6emYtkg7Pb7Jd8FFM5Pl5uAZ1h2jo= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.42 h1:817VqVe6wvwE46xXy6YF5RywvjOX6U2zRQQ6IbQFK0s= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.42/go.mod h1:oDfgXoBBmj+kXnqxDDnIDnC56QBosglKp8ftRCTxR+0= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.36 h1:7ZApaXzWbo8slc+W5TynuUlB4z66g44h7uqa3/d/BsY= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.36/go.mod h1:rwr4WnmFi3RJO0M4dxbJtgi9BPLMpVBMX1nUte5ha9U= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.44 h1:quOJOqlbSfeJTboXLjYXM1M9T52LBXqLoTPlmsKLpBo= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.44/go.mod h1:LNy+P1+1LiRcCsVYr/4zG5n8zWFL0xsvZkOybjbftm8= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.5 h1:8JG9ny0BqBDzmtIzbpaN+eke152ZNsYKApFJ/q29Hxo= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.5/go.mod h1:kEDHQApP/ukMO9natNftgUN3NaTsMxK6jb2jjpSMX7Y= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.15 h1:7R8uRYyXzdD71KWVCL78lJZltah6VVznXBazvKjfH58= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.15/go.mod h1:26SQUPcTNgV1Tapwdt4a1rOsYRsnBsJHLMPoxK2b0d8= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.37 h1:Mx1zJlYbiUQANWT40koevLvxawGFolmkaP4m+LuyG7M= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.37/go.mod h1:PjKIAMFthKPgG/B8bbRpo3F8jfr2q2L+w3u78jJ12a0= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.36 h1:YXlm7LxwNlauqb2OrinWlcvtsflTzP8GaMvYfQBhoT4= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.36/go.mod h1:ou9ffqJ9hKOVZmjlC6kQ6oROAyG1M4yBKzR+9BKbDwk= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.5 h1:sAAz28SeA7YZl8Yaphjs9tlLsflhdniQPjf3X2cqr4s= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.5/go.mod h1:HC7gNz3VH0p+RvLKK+HqNQv/gHy+1Os3ko/F41s3+aw= +github.com/aws/aws-sdk-go-v2/service/kms v1.24.6 h1:rp9DrFG3na9nuqsBZWb5KwvZrODhjayqFVJe8jmeVY8= +github.com/aws/aws-sdk-go-v2/service/kms v1.24.6/go.mod h1:I/absi3KLfE37J5QWMKyoYT8ZHA9t8JOC+Rb7Cyy+vc= +github.com/aws/aws-sdk-go-v2/service/s3 v1.40.1 h1:FqIaVPbs2W8U3fszl2PCL1IDKeRdM7TssjWamL6b2mg= +github.com/aws/aws-sdk-go-v2/service/s3 v1.40.1/go.mod h1:X0e0NCAx4GjOrKro7s9QYy+YEIFhgCkt6gYKVKhZB5Y= +github.com/aws/aws-sdk-go-v2/service/sso v1.15.1 h1:ZN3bxw9OYC5D6umLw6f57rNJfGfhg1DIAAcKpzyUTOE= +github.com/aws/aws-sdk-go-v2/service/sso v1.15.1/go.mod h1:PieckvBoT5HtyB9AsJRrYZFY2Z+EyfVM/9zG6gbV8DQ= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.2 h1:fSCCJuT5i6ht8TqGdZc5Q5K9pz/atrf7qH4iK5C9XzU= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.2/go.mod h1:5eNtr+vNc5vVd92q7SJ+U/HszsIdhZBEyi9dkMRKsp8= +github.com/aws/aws-sdk-go-v2/service/sts v1.23.1 h1:ASNYk1ypWAxRhJjKS0jBnTUeDl7HROOpeSMu1xDA/I8= +github.com/aws/aws-sdk-go-v2/service/sts v1.23.1/go.mod h1:2cnsAhVT3mqusovc2stUSUrSBGTcX9nh8Tu6xh//2eI= +github.com/aws/smithy-go v1.15.0 h1:PS/durmlzvAFpQHDs4wi4sNNP9ExsqZh6IlfdHXgKK8= +github.com/aws/smithy-go v1.15.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= @@ -315,8 +315,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= -golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck= -golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= +golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= +golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= @@ -343,8 +343,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= -golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8= -golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= +golang.org/x/net v0.16.0 h1:7eBu7KsSvFDtSXUIDbh3aqlK4DPsZ1rByC8PFfBThos= +golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.12.0 h1:smVPGxink+n1ZI5pkQa8y6fZT0RW0MgCO5bFpepy4B4= golang.org/x/oauth2 v0.12.0/go.mod h1:A74bZ3aGXgCY0qaIC9Ahg6Lglin4AMAco8cIv9baba4= @@ -386,15 +386,15 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o= -golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= -golang.org/x/term v0.12.0 h1:/ZfYdc3zq+q02Rv9vGqTeSItdzZTSNDmfTi0mBAuidU= -golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= +golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= +golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -425,8 +425,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -google.golang.org/api v0.143.0 h1:o8cekTkqhywkbZT6p1UHJPZ9+9uuCAJs/KYomxZB8fA= -google.golang.org/api v0.143.0/go.mod h1:FoX9DO9hT7DLNn97OuoZAGSDuNAXdJRuGK98rSUgurk= +google.golang.org/api v0.145.0 h1:kBjvf1A3/m30kUvnUX9jZJxTu3lJrpGFt5V/1YZrjwg= +google.golang.org/api v0.145.0/go.mod h1:OARJqIfoYjXJj4C1AiBSXYZt03qsoz8FQYU6fBEfrHM= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= From 26d922de3572d8466d9c7a4969486d74d357267a Mon Sep 17 00:00:00 2001 From: Norman Santiago Date: Wed, 6 Sep 2023 12:21:23 +0800 Subject: [PATCH 106/135] docs: document AWS environment variables Signed-off-by: Norman Santiago Co-authored-by: Felix Fontein Co-authored-by: Hidde Beydals --- README.rst | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/README.rst b/README.rst index 45abff539..7f4b9dba1 100644 --- a/README.rst +++ b/README.rst @@ -64,7 +64,10 @@ recommended to use at least two master keys in different regions. export SOPS_KMS_ARN="arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e,arn:aws:kms:ap-southeast-1:656532927350:key/9006a8aa-0fa6-4c14-930e-a2dfb916de1d" -Your AWS credentials must be present in ``~/.aws/credentials``. sops uses aws-sdk-go. +SOPS uses `aws-sdk-go-v2 `_ to communicate with AWS KMS. It will automatically +read the credentials from the ``~/.aws/credentials`` file which can be created with the ``aws configure`` command. + +An example of the ``~/.aws/credentials`` file is shown below: .. code:: @@ -73,6 +76,17 @@ Your AWS credentials must be present in ``~/.aws/credentials``. sops uses aws-sd aws_access_key_id = AKI..... aws_secret_access_key = mw...... +In addition to the ``~/.aws/credentials`` file, you can also use the ``AWS_ACCESS_KEY_ID`` and ``AWS_SECRET_ACCESS_KEY`` +environment variables to specify your credentials: + +.. code:: bash + + export AWS_ACCESS_KEY_ID="AKI......" + export AWS_SECRET_ACCESS_KEY="mw......" + +For more information and additional environment variables, see +`specifying credentials `_. + If you want to use PGP, export the fingerprints of the public keys, comma separated, in the **SOPS_PGP_FP** env variable. From 1d96c0cca904bcfcad574d4bb641e7a0ac4e495a Mon Sep 17 00:00:00 2001 From: Max Jonas Werner Date: Fri, 15 Sep 2023 16:10:06 +0200 Subject: [PATCH 107/135] pgp: better error reporting for missing GPG binary The error returned by `gpgExec` has just been swallowed. Now it is stringified and returned together with any output to stderr. Signed-off-by: Max Jonas Werner --- pgp/keysource.go | 17 +++++++++++++++-- pgp/keysource_test.go | 19 ++++++++++++++++++- 2 files changed, 33 insertions(+), 3 deletions(-) diff --git a/pgp/keysource.go b/pgp/keysource.go index 1dd975feb..8d131acf8 100644 --- a/pgp/keysource.go +++ b/pgp/keysource.go @@ -9,6 +9,7 @@ package pgp //import "github.com/getsops/sops/v3/pgp" import ( "bytes" "encoding/hex" + "errors" "fmt" "io" "os" @@ -131,9 +132,21 @@ func (d GnuPGHome) Import(armoredKey []byte) error { } args := []string{"--batch", "--import"} - _, stderr, err := gpgExec(d.String(), args, bytes.NewReader(armoredKey)) + _, stderrBuf, err := gpgExec(d.String(), args, bytes.NewReader(armoredKey)) if err != nil { - return fmt.Errorf("failed to import armored key data into GnuPG keyring: %s", strings.TrimSpace(stderr.String())) + stderr := stderrBuf.String() + errStr := err.Error() + var sb strings.Builder + sb.WriteString("failed to import armored key data into GnuPG keyring") + if len(stderr) > 0 { + fmt.Fprintf(&sb, ": %s", stderr) + if len(errStr) > 0 { + fmt.Fprintf(&sb, ": %s", errStr) + } + } else if len(errStr) > 0 { + fmt.Fprintf(&sb, ": %s", errStr) + } + return errors.New(sb.String()) } return nil } diff --git a/pgp/keysource_test.go b/pgp/keysource_test.go index b72bf8a92..5ce05a680 100644 --- a/pgp/keysource_test.go +++ b/pgp/keysource_test.go @@ -66,10 +66,27 @@ func TestGnuPGHome_Import(t *testing.T) { _, stderr, err = gpgExec(gnuPGHome.String(), []string{"--list-secret-keys", mockFingerprint}, nil) assert.NoErrorf(t, err, stderr.String()) - assert.Error(t, gnuPGHome.Import([]byte("invalid armored data"))) + err = gnuPGHome.Import([]byte("invalid armored data")) + assert.Error(t, err) + assert.ErrorContains(t, err, "gpg: no valid OpenPGP data found.\ngpg: Total number processed: 0\n: exit status 2") assert.Error(t, GnuPGHome("").Import(b)) } +func TestGnuPGHome_Import_With_Missing_Binary(t *testing.T) { + t.Setenv(SopsGpgExecEnv, "/does/not/exist") + + gnuPGHome, err := NewGnuPGHome() + assert.NoError(t, err) + t.Cleanup(func() { + _ = os.RemoveAll(gnuPGHome.String()) + }) + + b, err := os.ReadFile(mockPublicKey) + assert.NoError(t, err) + err = gnuPGHome.Import(b) + assert.ErrorContains(t, err, "failed to import armored key data into GnuPG keyring: fork/exec /does/not/exist: no such file or directory") +} + func TestGnuPGHome_ImportFile(t *testing.T) { gnuPGHome, err := NewGnuPGHome() assert.NoError(t, err) From 408c9d67aeacb98d89f7ef578aa4ca04e110dc72 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 10 Oct 2023 00:43:08 +0200 Subject: [PATCH 108/135] pgp: further improve import error format Looking more at this, it would actually be great if we would detect multi-line errors from GnuPG in `Import()`, `Decrypt()` and `Encrypt()` so that we can slightly improve the formatting of the errors with a newline seperator before the `gpg: ...\ngpg: ...` output. As this would likely increase readability. Signed-off-by: Hidde Beydals --- pgp/keysource.go | 10 +++++----- pgp/keysource_test.go | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/pgp/keysource.go b/pgp/keysource.go index 8d131acf8..7c14ff265 100644 --- a/pgp/keysource.go +++ b/pgp/keysource.go @@ -132,17 +132,17 @@ func (d GnuPGHome) Import(armoredKey []byte) error { } args := []string{"--batch", "--import"} - _, stderrBuf, err := gpgExec(d.String(), args, bytes.NewReader(armoredKey)) + _, stderr, err := gpgExec(d.String(), args, bytes.NewReader(armoredKey)) if err != nil { - stderr := stderrBuf.String() + stderrStr := strings.TrimSpace(stderr.String()) errStr := err.Error() var sb strings.Builder sb.WriteString("failed to import armored key data into GnuPG keyring") - if len(stderr) > 0 { - fmt.Fprintf(&sb, ": %s", stderr) + if len(stderrStr) > 0 { if len(errStr) > 0 { - fmt.Fprintf(&sb, ": %s", errStr) + fmt.Fprintf(&sb, " (%s)", errStr) } + fmt.Fprintf(&sb, ": %s", stderrStr) } else if len(errStr) > 0 { fmt.Fprintf(&sb, ": %s", errStr) } diff --git a/pgp/keysource_test.go b/pgp/keysource_test.go index 5ce05a680..f820ff032 100644 --- a/pgp/keysource_test.go +++ b/pgp/keysource_test.go @@ -68,7 +68,7 @@ func TestGnuPGHome_Import(t *testing.T) { err = gnuPGHome.Import([]byte("invalid armored data")) assert.Error(t, err) - assert.ErrorContains(t, err, "gpg: no valid OpenPGP data found.\ngpg: Total number processed: 0\n: exit status 2") + assert.ErrorContains(t, err, "(exit status 2): gpg: no valid OpenPGP data found.\ngpg: Total number processed: 0") assert.Error(t, GnuPGHome("").Import(b)) } From 8e21a88b14f0fa521d0839a3814f6c66fd1d0a5a Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sat, 16 Sep 2023 11:13:53 +0200 Subject: [PATCH 109/135] Improve RST files (with rstcheck feedback). Signed-off-by: Felix Fontein --- README.rst | 102 +++++++++++++++++++++++++++-------------------------- 1 file changed, 52 insertions(+), 50 deletions(-) diff --git a/README.rst b/README.rst index 7f4b9dba1..d181fc291 100644 --- a/README.rst +++ b/README.rst @@ -69,7 +69,7 @@ read the credentials from the ``~/.aws/credentials`` file which can be created w An example of the ``~/.aws/credentials`` file is shown below: -.. code:: +.. code:: sh $ cat ~/.aws/credentials [default] @@ -99,7 +99,7 @@ Note: you can use both PGP and KMS simultaneously. Then simply call ``sops`` with a file path as argument. It will handle the encryption/decryption transparently and open the cleartext file in an editor -.. code:: shell +.. code:: sh $ sops mynewtestfile.yaml mynewtestfile.yaml doesn't exist, creating it. @@ -152,7 +152,7 @@ to access your data. To decrypt a file in a ``cat`` fashion, use the ``-d`` flag: -.. code:: bash +.. code:: sh $ sops -d mynewtestfile.yaml @@ -162,7 +162,7 @@ permissions on KMS keys. Given that, the only command a ``sops`` user needs is: -.. code:: bash +.. code:: sh $ sops @@ -193,7 +193,7 @@ encrypting files. It's recommended to use age over PGP, if possible. You can encrypt a file for one or more age recipients (comma separated) using the ``--age`` option or the **SOPS_AGE_RECIPIENTS** environment variable: -.. code:: bash +.. code:: sh $ sops --encrypt --age age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw test.yaml > test.enc.yaml @@ -219,11 +219,13 @@ GCP KMS uses `Application Default Credentials `_. If you already logged in using -.. code:: bash +.. code:: sh $ gcloud auth login -you can enable application default credentials using the sdk:: +you can enable application default credentials using the sdk: + +.. code:: sh $ gcloud auth application-default login @@ -231,7 +233,7 @@ Encrypting/decrypting with GCP KMS requires a KMS ResourceID. You can use the cloud console the get the ResourceID or you can create one using the gcloud sdk: -.. code:: bash +.. code:: sh $ gcloud kms keyrings create sops --location global $ gcloud kms keys create sops-key --location global --keyring sops --purpose encryption @@ -277,7 +279,7 @@ For example, you can use a Service Principal with the following environment vari You can create a Service Principal using the CLI like this: -.. code:: bash +.. code:: sh $ az ad sp create-for-rbac -n my-keyvault-sp @@ -299,7 +301,7 @@ a key. This has the following form:: To create a Key Vault and assign your service principal permissions on it from the commandline: -.. code:: bash +.. code:: sh # Create a resource group if you do not have one: $ az group create --name sops-rg --location westeurope @@ -331,12 +333,12 @@ We assume you have an instance (or more) of Vault running and you have privilege To easily deploy Vault locally: (DO NOT DO THIS FOR PRODUCTION!!!) -.. code:: bash +.. code:: sh $ docker run -d -p8200:8200 vault:1.2.0 server -dev -dev-root-token-id=toor -.. code:: bash +.. code:: sh $ # Substitute this with the address Vault is running on $ export VAULT_ADDR=http://127.0.0.1:8200 @@ -395,9 +397,9 @@ the environment variables ``SOPS_KMS_ARN``, ``SOPS_PGP_FP``, ``SOPS_GCP_KMS_IDS` parameters again. Master PGP and KMS keys can be added and removed from a ``sops`` file in one of -three ways:: +three ways: -1. By using a .sops.yaml file and the ``updatekeys`` command. +1. By using a ``.sops.yaml`` file and the ``updatekeys`` command. 2. By using command line flags. @@ -422,7 +424,7 @@ separated list. 85D77543B3D624B63CEA9E6DBC17301B491B3F21, FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 -.. code:: bash +.. code:: sh $ sops updatekeys test.enc.yaml @@ -442,7 +444,7 @@ Note that ``-r`` or ``--rotate`` is mandatory in this mode. Not specifying rotate will ignore the ``--add-*`` options. Use ``updatekeys`` if you want to add a key without rotating the data key. -.. code:: bash +.. code:: sh # add a new pgp key to the file and rotate the data key $ sops -r -i --add-pgp 85D77543B3D624B63CEA9E6DBC17301B491B3F21 example.yaml @@ -567,7 +569,7 @@ to refine the access control of a given KMS master key. When creating a new file, you can specify encryption context in the ``--encryption-context`` flag by comma separated list of key-value pairs: -.. code:: bash +.. code:: sh $ sops --encryption-context Environment:production,Role:web-server test.dev.yaml @@ -604,12 +606,12 @@ rotation via the ``-r`` flag. Invoking it on an existing file causes sops to reencrypt the file with a new data key, which is then encrypted with the various KMS and PGP master keys defined in the file. -.. code:: bash +.. code:: sh - sops -r example.yaml + $ sops -r example.yaml Using .sops.yaml conf to select KMS, PGP and age for new files -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ It is often tedious to specify the ``--kms`` ``--gcp-kms`` ``--pgp`` and ``--age`` parameters for creation of all new files. If your secrets are stored under a specific directory, like a @@ -688,7 +690,7 @@ The path_regex checks the path of the encrypting file relative to the .sops.yaml Creating a new file with the right keys is now as simple as -.. code:: bash +.. code:: sh $ sops .prod.yaml @@ -745,14 +747,14 @@ Management of key groups is done with the ``sops groups`` command. For example, you can add a new key group with 3 PGP keys and 3 KMS keys to the file ``my_file.yaml``: -.. code:: bash +.. code:: sh $ sops groups add --file my_file.yaml --pgp fingerprint1 --pgp fingerprint2 --pgp fingerprint3 --kms arn1 --kms arn2 --kms arn3 Or you can delete the 1st group (group number 0, as groups are zero-indexed) from ``my_file.yaml``: -.. code:: bash +.. code:: sh $ sops groups delete --file my_file.yaml 0 @@ -793,7 +795,7 @@ the master keys found in each group. For example: -.. code:: bash +.. code:: sh $ sops --shamir-secret-sharing-threshold 2 example.json @@ -833,7 +835,7 @@ The threshold (``shamir_threshold``) is set to 2, so this configuration will req master keys from two of the three different key groups in order to decrypt the file. You can then decrypt the file the same way as with any other SOPS file: -.. code:: bash +.. code:: sh $ sops -d example.json @@ -873,14 +875,14 @@ services. The local key service can be disabled with For example, to decrypt a file using both the local key service and the key service exposed on the unix socket located in ``/tmp/sops.sock``, you can run: -.. code:: bash +.. code:: sh $ sops --keyservice unix:///tmp/sops.sock -d file.yaml` And if you only want to use the key service exposed on the unix socket located in ``/tmp/sops.sock`` and not the local key service, you can run: -.. code:: bash +.. code:: sh $ sops --enable-local-keyservice=false --keyservice unix:///tmp/sops.sock -d file.yaml @@ -946,7 +948,7 @@ program looks for credentials in its environment, ``exec-env`` can be used to ensure that the decrypted contents are available only to this process and never written to disk. -.. code:: bash +.. code:: sh # print secrets to stdout to confirm values $ sops -d out.json @@ -984,7 +986,7 @@ up once the process is finished executing. ``exec-file`` behaves similar to ``find(1)`` in that ``{}`` is used as a placeholder in the command which will be substituted with the temporary file path (whether a FIFO or an actual file). -.. code:: bash +.. code:: sh # operating on the same file as before, but as a file this time $ sops exec-file out.json 'echo your temporary file: {}; cat {}' @@ -1022,7 +1024,7 @@ for added security. To overwrite the default file name (``tmp-file``) in ``exec-file`` use the ``--filename `` parameter. -.. code:: bash +.. code:: sh # the encrypted file can't be read by the current user $ cat out.json @@ -1095,7 +1097,7 @@ will be skipped. Below is an example of publishing to Vault (using token auth with a local dev instance of Vault). -.. code:: bash +.. code:: sh $ export VAULT_TOKEN=... $ export VAULT_ADDR='http://127.0.0.1:8200' @@ -1138,7 +1140,7 @@ Therefore, if a file is encrypted using a specific format, it need to be decrypt in the same format. The easiest way to achieve this is to conserve the original file extension after encrypting a file. For example: -.. code:: bash +.. code:: sh $ sops -e -i myfile.json $ sops -d myfile.json @@ -1146,7 +1148,7 @@ extension after encrypting a file. For example: If you want to change the extension of the file once encrypted, you need to provide sops with the ``--input-type`` flag upon decryption. For example: -.. code:: bash +.. code:: sh $ sops -e myfile.json > myfile.json.enc @@ -1154,7 +1156,7 @@ sops with the ``--input-type`` flag upon decryption. For example: When operating on stdin, use the ``--input-type`` and ``--output-type`` flags as follows: -.. code:: bash +.. code:: sh $ cat myfile.json | sops --input-type json --output-type json -d /dev/stdin @@ -1250,14 +1252,14 @@ But this one will work just fine: Examples -------- -Take a look into the `examples `_ folder for detailed use cases of sops in a CI environment. The section below describes specific tips for common use cases. +Take a look into the `examples folder `_ for detailed use cases of sops in a CI environment. The section below describes specific tips for common use cases. Creating a new file ~~~~~~~~~~~~~~~~~~~ The command below creates a new file with a data key encrypted by KMS and PGP. -.. code:: bash +.. code:: sh $ sops --kms "arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500" --pgp C9CAB0AF1165060DB58D6D6B2653B624D620786D /path/to/new/file.yaml @@ -1268,7 +1270,7 @@ Similar to the previous command, we tell sops to use one KMS and one PGP key. The path points to an existing cleartext file, so we give sops flag ``-e`` to encrypt the file, and redirect the output to a destination file. -.. code:: bash +.. code:: sh $ export SOPS_KMS_ARN="arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500" $ export SOPS_PGP_FP="C9CAB0AF1165060DB58D6D6B2653B624D620786D" @@ -1276,7 +1278,7 @@ encrypt the file, and redirect the output to a destination file. Decrypt the file with ``-d``. -.. code:: bash +.. code:: sh $ sops -d /path/to/new/encrypted/file.yaml @@ -1286,7 +1288,7 @@ Encrypt or decrypt a file in place Rather than redirecting the output of ``-e`` or ``-d``, sops can replace the original file after encrypting or decrypting it. -.. code:: bash +.. code:: sh # file.yaml is in cleartext $ sops -e -i /path/to/existing/file.yaml @@ -1307,7 +1309,7 @@ file larger than the cleartext one. In-place encryption/decryption also works on binary files. -.. code:: +.. code:: sh $ dd if=/dev/urandom of=/tmp/somerandom bs=1024 count=512 @@ -1333,7 +1335,7 @@ Extract a sub-part of a document tree path in the ``--extract`` command line flag. This is useful to extract specific values, like keys, without needing an extra parser. -.. code:: bash +.. code:: sh $ sops -d --extract '["app2"]["key"]' ~/git/svc/sops/example.yaml -----BEGIN RSA PRIVATE KEY----- @@ -1350,7 +1352,7 @@ The tree path syntax uses regular python dictionary syntax, without the variable name. Extract keys by naming them, and array elements by numbering them. -.. code:: bash +.. code:: sh $ sops -d --extract '["an_array"][1]' ~/git/svc/sops/example.yaml secretuser2 @@ -1362,7 +1364,7 @@ Set a sub-part in a document tree the path and value in the ``--set`` command line flag. This is useful to set specific values, like keys, without needing an editor. -.. code:: bash +.. code:: sh $ sops --set '["app2"]["key"] "app2keystringvalue"' ~/git/svc/sops/example.yaml @@ -1370,13 +1372,13 @@ The tree path syntax uses regular python dictionary syntax, without the variable name. Set to keys by naming them, and array elements by numbering them. -.. code:: bash +.. code:: sh $ sops --set '["an_array"][1] "secretuser2"' ~/git/svc/sops/example.yaml The value must be formatted as json. -.. code:: bash +.. code:: sh $ sops --set '["an_array"][1] {"uid1":null,"uid2":1000,"uid3":["bob"]}' ~/git/svc/sops/example.yaml @@ -1390,14 +1392,14 @@ This is very handy for reviewing changes or visualizing history. To configure sops to decrypt files during diff, create a ``.gitattributes`` file at the root of your repository that contains a filter and a command. -.. code:: +.. code:: text *.yaml diff=sopsdiffer Here we only care about YAML files. ``sopsdiffer`` is an arbitrary name that we map to a sops command in the git configuration file of the repository. -.. code:: bash +.. code:: sh $ git config diff.sopsdiffer.textconv "sops -d" @@ -1433,7 +1435,7 @@ by adding a chosen suffix to those keys and passing it to the ``--encrypted-suff A third method is to use the ``--encrypted-regex`` which will only encrypt values under keys that match the supplied regular expression. For example, this command: -.. code:: bash +.. code:: sh $ sops --encrypt --encrypted-regex '^(data|stringData)$' k8s-secrets.yaml @@ -1445,7 +1447,7 @@ Conversely, you can opt in to only left certain keys without encrypting by using ``--unencrypted-regex`` option, which will leave the values unencrypted of those keys that match the supplied regular expression. For example, this command: -.. code:: bash +.. code:: sh $ sops --encrypt --unencrypted-regex '^(description|metadata)$' k8s-secrets.yaml @@ -1645,7 +1647,7 @@ PGP file: by referencing the pubkeys of each individual who has access to the fi It can easily be done by providing sops with a comma-separated list of public keys when creating a new file: -.. code:: bash +.. code:: sh $ sops --pgp "E60892BB9BD89A69F759A1A0A3D652173B763E8F,84050F1D61AF7C230A12217687DF65059EF093D3,85D77543B3D624B63CEA9E6DBC17301B491B3F21" mynewfile.yaml From 28eb25e8438ce5d143284fdaeacefaf9befda1b8 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sat, 16 Sep 2023 11:26:19 +0200 Subject: [PATCH 110/135] Improve MD files (with mdl feedback). Signed-off-by: Felix Fontein --- CONTRIBUTING.md | 11 ++++++----- docs/release.md | 1 + shamir/README.md | 3 ++- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index a33b37e77..885e14376 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -3,7 +3,7 @@ The SOPS project welcomes contributions from everyone. Here are a few guidelines and instructions if you are thinking of helping with the development of SOPS. -# Getting started +## Getting started - Make sure you have Go 1.19 or greater installed. You can find information on how to install Go [here](https://go.dev/doc/install) @@ -11,21 +11,22 @@ and instructions if you are thinking of helping with the development of SOPS. - Run the tests with `make test`. They should all pass. - Fork the project on GitHub. - Add your fork to Git's remotes: - + If you use SSH authentication: `git remote add git@github.com:/sops.git`. - + Otherwise: `git remote add https://github.com//sops.git`. + - If you use SSH authentication: + `git remote add git@github.com:/sops.git`. + - Otherwise: `git remote add https://github.com//sops.git`. - Make any changes you want to SOPS, commit them, and push them to your fork. - **Create a pull request against `main`**, and a maintainer will come by and review your code. They may ask for some changes, and hopefully your contribution will be merged! -# Guidelines +## Guidelines - Unless it's particularly hard, changes that fix a bug should have a regression test to make sure that the bug is not introduced again. - New features and changes to existing features should be documented, and, if possible, tested. -# Communication +## Communication If you need any help contributing to SOPS, several maintainers are on the [`#sops-dev` channel](https://cloud-native.slack.com/archives/C059800AJBT) on diff --git a/docs/release.md b/docs/release.md index 42207b35c..7485b136a 100644 --- a/docs/release.md +++ b/docs/release.md @@ -54,6 +54,7 @@ This configuration is quite sophisticated, and ensures at least the following: git checkout main git pull ``` + - [ ] Create a **signed tag** for the release, using the following command: ```sh diff --git a/shamir/README.md b/shamir/README.md index d92f3b557..256077de7 100644 --- a/shamir/README.md +++ b/shamir/README.md @@ -1,3 +1,5 @@ +# Shamir's secret sharing + Forked from [Vault](https://github.com/hashicorp/vault/tree/master/shamir) ## How it works @@ -102,7 +104,6 @@ L(x) = So the polynomial we were looking for is `y = x^2`. - ## Splitting a secret So we have the ability of splitting a function into parts, but in the context From 70dc521f5abbd57f0b76b02dff8a8d2e948affbb Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sat, 16 Sep 2023 11:46:59 +0200 Subject: [PATCH 111/135] Normalize indentation for code blocks and YAML files. Signed-off-by: Felix Fontein --- README.rst | 864 ++++++++++++++++++++++++++--------------------------- 1 file changed, 432 insertions(+), 432 deletions(-) diff --git a/README.rst b/README.rst index d181fc291..38cf786d1 100644 --- a/README.rst +++ b/README.rst @@ -10,7 +10,7 @@ formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. ------------ .. image:: https://pkg.go.dev/badge/github.com/getsops/sops/v3.svg - :target: https://pkg.go.dev/github.com/getsops/sops/v3 + :target: https://pkg.go.dev/github.com/getsops/sops/v3 Download -------- @@ -25,10 +25,10 @@ For the adventurous, unstable features are available in the `main` branch, which .. code:: bash - $ mkdir -p $GOPATH/src/github.com/getsops/sops/ - $ git clone https://github.com/getsops/sops.git $GOPATH/src/github.com/getsops/sops/ - $ cd $GOPATH/src/github.com/getsops/sops/ - $ make install + $ mkdir -p $GOPATH/src/github.com/getsops/sops/ + $ git clone https://github.com/getsops/sops.git $GOPATH/src/github.com/getsops/sops/ + $ cd $GOPATH/src/github.com/getsops/sops/ + $ make install (requires Go >= 1.19) @@ -36,10 +36,10 @@ If you don't have Go installed, set it up with: .. code:: bash - $ {apt,yum,brew} install golang - $ echo 'export GOPATH=~/go' >> ~/.bashrc - $ source ~/.bashrc - $ mkdir $GOPATH + $ {apt,yum,brew} install golang + $ echo 'export GOPATH=~/go' >> ~/.bashrc + $ source ~/.bashrc + $ mkdir $GOPATH Or whatever variation of the above fits your system and shell. @@ -62,7 +62,7 @@ recommended to use at least two master keys in different regions. .. code:: bash - export SOPS_KMS_ARN="arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e,arn:aws:kms:ap-southeast-1:656532927350:key/9006a8aa-0fa6-4c14-930e-a2dfb916de1d" + export SOPS_KMS_ARN="arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e,arn:aws:kms:ap-southeast-1:656532927350:key/9006a8aa-0fa6-4c14-930e-a2dfb916de1d" SOPS uses `aws-sdk-go-v2 `_ to communicate with AWS KMS. It will automatically read the credentials from the ``~/.aws/credentials`` file which can be created with the ``aws configure`` command. @@ -71,18 +71,18 @@ An example of the ``~/.aws/credentials`` file is shown below: .. code:: sh - $ cat ~/.aws/credentials - [default] - aws_access_key_id = AKI..... - aws_secret_access_key = mw...... + $ cat ~/.aws/credentials + [default] + aws_access_key_id = AKI..... + aws_secret_access_key = mw...... In addition to the ``~/.aws/credentials`` file, you can also use the ``AWS_ACCESS_KEY_ID`` and ``AWS_SECRET_ACCESS_KEY`` environment variables to specify your credentials: .. code:: bash - export AWS_ACCESS_KEY_ID="AKI......" - export AWS_SECRET_ACCESS_KEY="mw......" + export AWS_ACCESS_KEY_ID="AKI......" + export AWS_SECRET_ACCESS_KEY="mw......" For more information and additional environment variables, see `specifying credentials `_. @@ -92,7 +92,7 @@ separated, in the **SOPS_PGP_FP** env variable. .. code:: bash - export SOPS_PGP_FP="85D77543B3D624B63CEA9E6DBC17301B491B3F21,E60892BB9BD89A69F759A1A0A3D652173B763E8F" + export SOPS_PGP_FP="85D77543B3D624B63CEA9E6DBC17301B491B3F21,E60892BB9BD89A69F759A1A0A3D652173B763E8F" Note: you can use both PGP and KMS simultaneously. @@ -101,10 +101,10 @@ encryption/decryption transparently and open the cleartext file in an editor .. code:: sh - $ sops mynewtestfile.yaml - mynewtestfile.yaml doesn't exist, creating it. - please wait while an encryption key is being generated and stored in a secure fashion - file written to mynewtestfile.yaml + $ sops mynewtestfile.yaml + mynewtestfile.yaml doesn't exist, creating it. + please wait while an encryption key is being generated and stored in a secure fashion + file written to mynewtestfile.yaml Editing will happen in whatever ``$EDITOR`` is set to, or, if it's not set, in vim. Keep in mind that sops will wait for the editor to exit, and then try to reencrypt @@ -126,25 +126,25 @@ The resulting encrypted file looks like this: key: |- ENC[AES256_GCM,data:Ea3kL5O5U8=,iv:DM=,aad:FKA=,tag:EA==] an_array: - - ENC[AES256_GCM,data:v8jQ=,iv:HBE=,aad:21c=,tag:gA==] - - ENC[AES256_GCM,data:X10=,iv:o8=,aad:CQ=,tag:Hw==] - - ENC[AES256_GCM,data:KN=,iv:160=,aad:fI4=,tag:tNw==] + - ENC[AES256_GCM,data:v8jQ=,iv:HBE=,aad:21c=,tag:gA==] + - ENC[AES256_GCM,data:X10=,iv:o8=,aad:CQ=,tag:Hw==] + - ENC[AES256_GCM,data:KN=,iv:160=,aad:fI4=,tag:tNw==] sops: kms: - - created_at: 1441570389.775376 - enc: CiC....Pm1Hm - arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e - - created_at: 1441570391.925734 - enc: Ci...awNx - arn: arn:aws:kms:ap-southeast-1:656532927350:key/9006a8aa-0fa6-4c14-930e-a2dfb916de1d + - created_at: 1441570389.775376 + enc: CiC....Pm1Hm + arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e + - created_at: 1441570391.925734 + enc: Ci...awNx + arn: arn:aws:kms:ap-southeast-1:656532927350:key/9006a8aa-0fa6-4c14-930e-a2dfb916de1d pgp: - - fp: 85D77543B3D624B63CEA9E6DBC17301B491B3F21 - created_at: 1441570391.930042 - enc: | - -----BEGIN PGP MESSAGE----- - hQIMA0t4uZHfl9qgAQ//UvGAwGePyHuf2/zayWcloGaDs0MzI+zw6CmXvMRNPUsA - ...=oJgS - -----END PGP MESSAGE----- + - fp: 85D77543B3D624B63CEA9E6DBC17301B491B3F21 + created_at: 1441570391.930042 + enc: | + -----BEGIN PGP MESSAGE----- + hQIMA0t4uZHfl9qgAQ//UvGAwGePyHuf2/zayWcloGaDs0MzI+zw6CmXvMRNPUsA + ...=oJgS + -----END PGP MESSAGE----- A copy of the encryption/decryption key is stored securely in each KMS and PGP block. As long as one of the KMS or PGP method is still usable, you will be able @@ -154,7 +154,7 @@ To decrypt a file in a ``cat`` fashion, use the ``-d`` flag: .. code:: sh - $ sops -d mynewtestfile.yaml + $ sops -d mynewtestfile.yaml ``sops`` encrypted files contain the necessary information to decrypt their content. All a user of ``sops`` needs is valid AWS credentials and the necessary @@ -164,7 +164,7 @@ Given that, the only command a ``sops`` user needs is: .. code:: sh - $ sops + $ sops `` will be opened, decrypted, passed to a text editor (vim by default), encrypted if modified, and saved back to its original location. All of these @@ -176,10 +176,10 @@ Test with the dev PGP key If you want to test **sops** without having to do a bunch of setup, you can use the example files and pgp key provided with the repository:: - $ git clone https://github.com/getsops/sops.git - $ cd sops - $ gpg --import pgp/sops_functional_tests_key.asc - $ sops example.yaml + $ git clone https://github.com/getsops/sops.git + $ cd sops + $ gpg --import pgp/sops_functional_tests_key.asc + $ sops example.yaml This last step will decrypt ``example.yaml`` using the test private key. @@ -195,7 +195,7 @@ the ``--age`` option or the **SOPS_AGE_RECIPIENTS** environment variable: .. code:: sh - $ sops --encrypt --age age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw test.yaml > test.enc.yaml + $ sops --encrypt --age age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw test.yaml > test.enc.yaml When decrypting a file with the corresponding identity, sops will look for a text file name ``keys.txt`` located in a ``sops`` subdirectory of your user @@ -221,13 +221,13 @@ If you already logged in using .. code:: sh - $ gcloud auth login + $ gcloud auth login you can enable application default credentials using the sdk: .. code:: sh - $ gcloud auth application-default login + $ gcloud auth application-default login Encrypting/decrypting with GCP KMS requires a KMS ResourceID. You can use the cloud console the get the ResourceID or you can create one using the gcloud @@ -235,21 +235,21 @@ sdk: .. code:: sh - $ gcloud kms keyrings create sops --location global - $ gcloud kms keys create sops-key --location global --keyring sops --purpose encryption - $ gcloud kms keys list --location global --keyring sops + $ gcloud kms keyrings create sops --location global + $ gcloud kms keys create sops-key --location global --keyring sops --purpose encryption + $ gcloud kms keys list --location global --keyring sops - # you should see - NAME PURPOSE PRIMARY_STATE - projects/my-project/locations/global/keyRings/sops/cryptoKeys/sops-key ENCRYPT_DECRYPT ENABLED + # you should see + NAME PURPOSE PRIMARY_STATE + projects/my-project/locations/global/keyRings/sops/cryptoKeys/sops-key ENCRYPT_DECRYPT ENABLED Now you can encrypt a file using:: - $ sops --encrypt --gcp-kms projects/my-project/locations/global/keyRings/sops/cryptoKeys/sops-key test.yaml > test.enc.yaml + $ sops --encrypt --gcp-kms projects/my-project/locations/global/keyRings/sops/cryptoKeys/sops-key test.yaml > test.enc.yaml And decrypt it using:: - $ sops --decrypt test.enc.yaml + $ sops --decrypt test.enc.yaml Encrypting using Azure Key Vault ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -273,57 +273,57 @@ For example, you can use a Service Principal with the following environment vari .. code:: bash - AZURE_TENANT_ID - AZURE_CLIENT_ID - AZURE_CLIENT_SECRET + AZURE_TENANT_ID + AZURE_CLIENT_ID + AZURE_CLIENT_SECRET You can create a Service Principal using the CLI like this: .. code:: sh - $ az ad sp create-for-rbac -n my-keyvault-sp + $ az ad sp create-for-rbac -n my-keyvault-sp - { - "appId": "", - "displayName": "my-keyvault-sp", - "name": "http://my-keyvault-sp", - "password": "", - "tenant": "" - } + { + "appId": "", + "displayName": "my-keyvault-sp", + "name": "http://my-keyvault-sp", + "password": "", + "tenant": "" + } The `appId` is the client ID, and the `password` is the client secret. Encrypting/decrypting with Azure Key Vault requires the resource identifier for a key. This has the following form:: - https://${VAULT_URL}/keys/${KEY_NAME}/${KEY_VERSION} + https://${VAULT_URL}/keys/${KEY_NAME}/${KEY_VERSION} To create a Key Vault and assign your service principal permissions on it from the commandline: .. code:: sh - # Create a resource group if you do not have one: - $ az group create --name sops-rg --location westeurope - # Key Vault names are globally unique, so generate one: - $ keyvault_name=sops-$(uuidgen | tr -d - | head -c 16) - # Create a Vault, a key, and give the service principal access: - $ az keyvault create --name $keyvault_name --resource-group sops-rg --location westeurope - $ az keyvault key create --name sops-key --vault-name $keyvault_name --protection software --ops encrypt decrypt - $ az keyvault set-policy --name $keyvault_name --resource-group sops-rg --spn $AZURE_CLIENT_ID \ - --key-permissions encrypt decrypt - # Read the key id: - $ az keyvault key show --name sops-key --vault-name $keyvault_name --query key.kid + # Create a resource group if you do not have one: + $ az group create --name sops-rg --location westeurope + # Key Vault names are globally unique, so generate one: + $ keyvault_name=sops-$(uuidgen | tr -d - | head -c 16) + # Create a Vault, a key, and give the service principal access: + $ az keyvault create --name $keyvault_name --resource-group sops-rg --location westeurope + $ az keyvault key create --name sops-key --vault-name $keyvault_name --protection software --ops encrypt decrypt + $ az keyvault set-policy --name $keyvault_name --resource-group sops-rg --spn $AZURE_CLIENT_ID \ + --key-permissions encrypt decrypt + # Read the key id: + $ az keyvault key show --name sops-key --vault-name $keyvault_name --query key.kid - https://sops.vault.azure.net/keys/sops-key/some-string + https://sops.vault.azure.net/keys/sops-key/some-string Now you can encrypt a file using:: - $ sops --encrypt --azure-kv https://sops.vault.azure.net/keys/sops-key/some-string test.yaml > test.enc.yaml + $ sops --encrypt --azure-kv https://sops.vault.azure.net/keys/sops-key/some-string test.yaml > test.enc.yaml And decrypt it using:: - $ sops --decrypt test.enc.yaml + $ sops --decrypt test.enc.yaml Encrypting using Hashicorp Vault @@ -335,56 +335,56 @@ To easily deploy Vault locally: (DO NOT DO THIS FOR PRODUCTION!!!) .. code:: sh - $ docker run -d -p8200:8200 vault:1.2.0 server -dev -dev-root-token-id=toor + $ docker run -d -p8200:8200 vault:1.2.0 server -dev -dev-root-token-id=toor .. code:: sh - $ # Substitute this with the address Vault is running on - $ export VAULT_ADDR=http://127.0.0.1:8200 - - $ # this may not be necessary in case you previously used `vault login` for production use - $ export VAULT_TOKEN=toor - - $ # to check if Vault started and is configured correctly - $ vault status - Key Value - --- ----- - Seal Type shamir - Initialized true - Sealed false - Total Shares 1 - Threshold 1 - Version 1.2.0 - Cluster Name vault-cluster-618cc902 - Cluster ID e532e461-e8f0-1352-8a41-fc7c11096908 - HA Enabled false - - $ # It is required to enable a transit engine if not already done (It is suggested to create a transit engine specifically for sops, in which it is possible to have multiple keys with various permission levels) - $ vault secrets enable -path=sops transit - Success! Enabled the transit secrets engine at: sops/ - - $ # Then create one or more keys - $ vault write sops/keys/firstkey type=rsa-4096 - Success! Data written to: sops/keys/firstkey - - $ vault write sops/keys/secondkey type=rsa-2048 - Success! Data written to: sops/keys/secondkey - - $ vault write sops/keys/thirdkey type=chacha20-poly1305 - Success! Data written to: sops/keys/thirdkey - - $ sops --encrypt --hc-vault-transit $VAULT_ADDR/v1/sops/keys/firstkey vault_example.yml - - $ cat < .sops.yaml - creation_rules: - - path_regex: \.dev\.yaml$ - hc_vault_transit_uri: "$VAULT_ADDR/v1/sops/keys/secondkey" - - path_regex: \.prod\.yaml$ - hc_vault_transit_uri: "$VAULT_ADDR/v1/sops/keys/thirdkey" - EOF - - $ sops --verbose -e prod/raw.yaml > prod/encrypted.yaml + $ # Substitute this with the address Vault is running on + $ export VAULT_ADDR=http://127.0.0.1:8200 + + $ # this may not be necessary in case you previously used `vault login` for production use + $ export VAULT_TOKEN=toor + + $ # to check if Vault started and is configured correctly + $ vault status + Key Value + --- ----- + Seal Type shamir + Initialized true + Sealed false + Total Shares 1 + Threshold 1 + Version 1.2.0 + Cluster Name vault-cluster-618cc902 + Cluster ID e532e461-e8f0-1352-8a41-fc7c11096908 + HA Enabled false + + $ # It is required to enable a transit engine if not already done (It is suggested to create a transit engine specifically for sops, in which it is possible to have multiple keys with various permission levels) + $ vault secrets enable -path=sops transit + Success! Enabled the transit secrets engine at: sops/ + + $ # Then create one or more keys + $ vault write sops/keys/firstkey type=rsa-4096 + Success! Data written to: sops/keys/firstkey + + $ vault write sops/keys/secondkey type=rsa-2048 + Success! Data written to: sops/keys/secondkey + + $ vault write sops/keys/thirdkey type=chacha20-poly1305 + Success! Data written to: sops/keys/thirdkey + + $ sops --encrypt --hc-vault-transit $VAULT_ADDR/v1/sops/keys/firstkey vault_example.yml + + $ cat < .sops.yaml + creation_rules: + - path_regex: \.dev\.yaml$ + hc_vault_transit_uri: "$VAULT_ADDR/v1/sops/keys/secondkey" + - path_regex: \.prod\.yaml$ + hc_vault_transit_uri: "$VAULT_ADDR/v1/sops/keys/thirdkey" + EOF + + $ sops --verbose -e prod/raw.yaml > prod/encrypted.yaml Adding and removing keys ~~~~~~~~~~~~~~~~~~~~~~~~ @@ -426,7 +426,7 @@ separated list. .. code:: sh - $ sops updatekeys test.enc.yaml + $ sops updatekeys test.enc.yaml Sops will prompt you with the changes to be made. This interactivity can be disabled by supplying the ``-y`` flag. @@ -446,11 +446,11 @@ add a key without rotating the data key. .. code:: sh - # add a new pgp key to the file and rotate the data key - $ sops -r -i --add-pgp 85D77543B3D624B63CEA9E6DBC17301B491B3F21 example.yaml + # add a new pgp key to the file and rotate the data key + $ sops -r -i --add-pgp 85D77543B3D624B63CEA9E6DBC17301B491B3F21 example.yaml - # remove a pgp key from the file and rotate the data key - $ sops -r -i --rm-pgp 85D77543B3D624B63CEA9E6DBC17301B491B3F21 example.yaml + # remove a pgp key from the file and rotate the data key + $ sops -r -i --rm-pgp 85D77543B3D624B63CEA9E6DBC17301B491B3F21 example.yaml Direct Editing @@ -466,17 +466,17 @@ editing: .. code:: yaml - sops: - kms: - - arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e + sops: + kms: + - arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e And, similarly, to add a PGP master key, we add its fingerprint: .. code:: yaml - sops: - pgp: - - fp: 85D77543B3D624B63CEA9E6DBC17301B491B3F21 + sops: + pgp: + - fp: 85D77543B3D624B63CEA9E6DBC17301B491B3F21 When the file is saved, ``sops`` will update its metadata and encrypt the data key with the freshly added master keys. The removed entries are simply deleted from @@ -493,10 +493,10 @@ If you want to use a specific profile, you can do so with `aws_profile`: .. code:: yaml - sops: - kms: - - arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e - aws_profile: foo + sops: + kms: + - arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e + aws_profile: foo If no AWS profile is set, default credentials will be used. @@ -525,39 +525,39 @@ must assume alongside its ARN, as follows: .. code:: yaml - sops: - kms: - - arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e - role: arn:aws:iam::927034868273:role/sops-dev-xyz + sops: + kms: + - arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e + role: arn:aws:iam::927034868273:role/sops-dev-xyz The role must have permission to call Encrypt and Decrypt using KMS. An example policy is shown below. .. code:: json - { - "Sid": "Allow use of the key", - "Effect": "Allow", - "Action": [ - "kms:Encrypt", - "kms:Decrypt", - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:DescribeKey" - ], - "Resource": "*", - "Principal": { - "AWS": [ - "arn:aws:iam::927034868273:role/sops-dev-xyz" - ] - } - } + { + "Sid": "Allow use of the key", + "Effect": "Allow", + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ], + "Resource": "*", + "Principal": { + "AWS": [ + "arn:aws:iam::927034868273:role/sops-dev-xyz" + ] + } + } You can specify a role in the ``--kms`` flag and ``SOPS_KMS_ARN`` variable by appending it to the ARN of the master key, separated by a **+** sign:: - + - arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500+arn:aws:iam::927034868273:role/sops-dev-xyz + + + arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500+arn:aws:iam::927034868273:role/sops-dev-xyz AWS KMS Encryption Context ~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -571,7 +571,7 @@ When creating a new file, you can specify encryption context in the .. code:: sh - $ sops --encryption-context Environment:production,Role:web-server test.dev.yaml + $ sops --encryption-context Environment:production,Role:web-server test.dev.yaml The format of the Encrypt Context string is ``:,:,...`` @@ -608,7 +608,7 @@ KMS and PGP master keys defined in the file. .. code:: sh - $ sops -r example.yaml + $ sops -r example.yaml Using .sops.yaml conf to select KMS, PGP and age for new files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -630,31 +630,31 @@ can manage the three sets of configurations for the three types of files: .. code:: yaml - # creation rules are evaluated sequentially, the first match wins - creation_rules: - # upon creation of a file that matches the pattern *.dev.yaml, - # KMS set A as well as PGP and age is used - - path_regex: \.dev\.yaml$ - kms: 'arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500,arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod' - pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4' - age: 'age129h70qwx39k7h5x6l9hg566nwm53527zvamre8vep9e3plsm44uqgy8gla' - - # prod files use KMS set B in the PROD IAM, PGP and age - - path_regex: \.prod\.yaml$ - kms: 'arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod,arn:aws:kms:eu-central-1:361527076523:key/cb1fab90-8d17-42a1-a9d8-334968904f94+arn:aws:iam::361527076523:role/hiera-sops-prod' - pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4' - age: 'age129h70qwx39k7h5x6l9hg566nwm53527zvamre8vep9e3plsm44uqgy8gla' - hc_vault_uris: "http://localhost:8200/v1/sops/keys/thirdkey" - - # gcp files using GCP KMS - - path_regex: \.gcp\.yaml$ - gcp_kms: projects/mygcproject/locations/global/keyRings/mykeyring/cryptoKeys/thekey - - # Finally, if the rules above have not matched, this one is a - # catchall that will encrypt the file using KMS set C as well as PGP - # The absence of a path_regex means it will match everything - - kms: 'arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500,arn:aws:kms:us-west-2:142069644989:key/846cfb17-373d-49b9-8baf-f36b04512e47,arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e' - pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4' + # creation rules are evaluated sequentially, the first match wins + creation_rules: + # upon creation of a file that matches the pattern *.dev.yaml, + # KMS set A as well as PGP and age is used + - path_regex: \.dev\.yaml$ + kms: 'arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500,arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod' + pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4' + age: 'age129h70qwx39k7h5x6l9hg566nwm53527zvamre8vep9e3plsm44uqgy8gla' + + # prod files use KMS set B in the PROD IAM, PGP and age + - path_regex: \.prod\.yaml$ + kms: 'arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod,arn:aws:kms:eu-central-1:361527076523:key/cb1fab90-8d17-42a1-a9d8-334968904f94+arn:aws:iam::361527076523:role/hiera-sops-prod' + pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4' + age: 'age129h70qwx39k7h5x6l9hg566nwm53527zvamre8vep9e3plsm44uqgy8gla' + hc_vault_uris: "http://localhost:8200/v1/sops/keys/thirdkey" + + # gcp files using GCP KMS + - path_regex: \.gcp\.yaml$ + gcp_kms: projects/mygcproject/locations/global/keyRings/mykeyring/cryptoKeys/thekey + + # Finally, if the rules above have not matched, this one is a + # catchall that will encrypt the file using KMS set C as well as PGP + # The absence of a path_regex means it will match everything + - kms: 'arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500,arn:aws:kms:us-west-2:142069644989:key/846cfb17-373d-49b9-8baf-f36b04512e47,arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e' + pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4' When creating any file under **mysecretrepo**, whether at the root or under a subdirectory, sops will recursively look for a ``.sops.yaml`` file. If one is @@ -692,7 +692,7 @@ Creating a new file with the right keys is now as simple as .. code:: sh - $ sops .prod.yaml + $ sops .prod.yaml Note that the configuration file is ignored when KMS or PGP parameters are passed on the sops command line or in environment variables. @@ -708,7 +708,7 @@ Example: place the following in your ``~/.bashrc`` .. code:: bash - SOPS_GPG_EXEC = 'your_gpg_client_wrapper' + SOPS_GPG_EXEC = 'your_gpg_client_wrapper' Specify a different GPG key server @@ -766,26 +766,26 @@ like so: creation_rules: - path_regex: .*keygroups.* key_groups: - # First key group - - pgp: - - fingerprint1 - - fingerprint2 - kms: - - arn: arn1 - role: role1 - context: - foo: bar - - arn: arn2 - # Second key group - - pgp: - - fingerprint3 - - fingerprint4 - kms: - - arn: arn3 - - arn: arn4 - # Third key group - - pgp: - - fingerprint5 + # First key group + - pgp: + - fingerprint1 + - fingerprint2 + kms: + - arn: arn1 + role: role1 + context: + foo: bar + - arn: arn2 + # Second key group + - pgp: + - fingerprint3 + - fingerprint4 + kms: + - arn: arn3 + - arn: arn4 + # Third key group + - pgp: + - fingerprint5 Given this configuration, we can create a new encrypted file like we normally would, and optionally provide the ``--shamir-secret-sharing-threshold`` command line @@ -808,26 +808,26 @@ with ``shamir_threshold``: - path_regex: .*keygroups.* shamir_threshold: 2 key_groups: - # First key group - - pgp: - - fingerprint1 - - fingerprint2 - kms: - - arn: arn1 - role: role1 - context: - foo: bar - - arn: arn2 - # Second key group - - pgp: - - fingerprint3 - - fingerprint4 - kms: - - arn: arn3 - - arn: arn4 - # Third key group - - pgp: - - fingerprint5 + # First key group + - pgp: + - fingerprint1 + - fingerprint2 + kms: + - arn: arn1 + role: role1 + context: + foo: bar + - arn: arn2 + # Second key group + - pgp: + - fingerprint3 + - fingerprint4 + kms: + - arn: arn3 + - arn: arn4 + # Third key group + - pgp: + - fingerprint5 And then run ``sops example.json``. @@ -950,28 +950,28 @@ written to disk. .. code:: sh - # print secrets to stdout to confirm values - $ sops -d out.json - { - "database_password": "jf48t9wfw094gf4nhdf023r", - "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE", - "AWS_SECRET_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" - } + # print secrets to stdout to confirm values + $ sops -d out.json + { + "database_password": "jf48t9wfw094gf4nhdf023r", + "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE", + "AWS_SECRET_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" + } - # decrypt out.json and run a command - # the command prints the environment variable and runs a script that uses it - $ sops exec-env out.json 'echo secret: $database_password; ./database-import' - secret: jf48t9wfw094gf4nhdf023r + # decrypt out.json and run a command + # the command prints the environment variable and runs a script that uses it + $ sops exec-env out.json 'echo secret: $database_password; ./database-import' + secret: jf48t9wfw094gf4nhdf023r - # launch a shell with the secrets available in its environment - $ sops exec-env out.json 'sh' - sh-3.2# echo $database_password - jf48t9wfw094gf4nhdf023r + # launch a shell with the secrets available in its environment + $ sops exec-env out.json 'sh' + sh-3.2# echo $database_password + jf48t9wfw094gf4nhdf023r - # the secret is not accessible anywhere else - sh-3.2$ exit - $ echo your password: $database_password - your password: + # the secret is not accessible anywhere else + sh-3.2$ exit + $ echo your password: $database_password + your password: If the command you want to run only operates on files, you can use ``exec-file`` @@ -988,31 +988,31 @@ substituted with the temporary file path (whether a FIFO or an actual file). .. code:: sh - # operating on the same file as before, but as a file this time - $ sops exec-file out.json 'echo your temporary file: {}; cat {}' - your temporary file: /tmp/.sops894650499/tmp-file - { - "database_password": "jf48t9wfw094gf4nhdf023r", - "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE", - "AWS_SECRET_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" - } - - # launch a shell with a variable TMPFILE pointing to the temporary file - $ sops exec-file --no-fifo out.json 'TMPFILE={} sh' - sh-3.2$ echo $TMPFILE - /tmp/.sops506055069/tmp-file291138648 - sh-3.2$ cat $TMPFILE - { - "database_password": "jf48t9wfw094gf4nhdf023r", - "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE", - "AWS_SECRET_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" - } - sh-3.2$ ./program --config $TMPFILE - sh-3.2$ exit - - # try to open the temporary file from earlier - $ cat /tmp/.sops506055069/tmp-file291138648 - cat: /tmp/.sops506055069/tmp-file291138648: No such file or directory + # operating on the same file as before, but as a file this time + $ sops exec-file out.json 'echo your temporary file: {}; cat {}' + your temporary file: /tmp/.sops894650499/tmp-file + { + "database_password": "jf48t9wfw094gf4nhdf023r", + "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE", + "AWS_SECRET_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" + } + + # launch a shell with a variable TMPFILE pointing to the temporary file + $ sops exec-file --no-fifo out.json 'TMPFILE={} sh' + sh-3.2$ echo $TMPFILE + /tmp/.sops506055069/tmp-file291138648 + sh-3.2$ cat $TMPFILE + { + "database_password": "jf48t9wfw094gf4nhdf023r", + "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE", + "AWS_SECRET_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" + } + sh-3.2$ ./program --config $TMPFILE + sh-3.2$ exit + + # try to open the temporary file from earlier + $ cat /tmp/.sops506055069/tmp-file291138648 + cat: /tmp/.sops506055069/tmp-file291138648: No such file or directory Additionally, on unix-like platforms, both ``exec-env`` and ``exec-file`` support dropping privileges before executing the new program via the @@ -1026,20 +1026,20 @@ To overwrite the default file name (``tmp-file``) in ``exec-file`` use the .. code:: sh - # the encrypted file can't be read by the current user - $ cat out.json - cat: out.json: Permission denied + # the encrypted file can't be read by the current user + $ cat out.json + cat: out.json: Permission denied - # execute sops as root, decrypt secrets, then drop privileges - $ sudo sops exec-env --user nobody out.json 'sh' - sh-3.2$ echo $database_password - jf48t9wfw094gf4nhdf023r + # execute sops as root, decrypt secrets, then drop privileges + $ sudo sops exec-env --user nobody out.json 'sh' + sh-3.2$ echo $database_password + jf48t9wfw094gf4nhdf023r - # dropped privileges, still can't load the original file - sh-3.2$ id - uid=4294967294(nobody) gid=4294967294(nobody) groups=4294967294(nobody) - sh-3.2$ cat out.json - cat: out.json: Permission denied + # dropped privileges, still can't load the original file + sh-3.2$ id + uid=4294967294(nobody) gid=4294967294(nobody) groups=4294967294(nobody) + sh-3.2$ cat out.json + cat: out.json: Permission denied Using the publish command ~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -1050,20 +1050,20 @@ This command requires a ``.sops.yaml`` configuration file. Below is an example: .. code:: yaml - destination_rules: - - s3_bucket: "sops-secrets" - path_regex: s3/* - recreation_rule: - pgp: F69E4901EDBAD2D1753F8C67A64535C4163FB307 - - gcs_bucket: "sops-secrets" - path_regex: gcs/* - recreation_rule: - pgp: F69E4901EDBAD2D1753F8C67A64535C4163FB307 - - vault_path: "sops/" - vault_kv_mount_name: "secret/" # default - vault_kv_version: 2 # default - path_regex: vault/* - omit_extensions: true + destination_rules: + - s3_bucket: "sops-secrets" + path_regex: s3/* + recreation_rule: + pgp: F69E4901EDBAD2D1753F8C67A64535C4163FB307 + - gcs_bucket: "sops-secrets" + path_regex: gcs/* + recreation_rule: + pgp: F69E4901EDBAD2D1753F8C67A64535C4163FB307 + - vault_path: "sops/" + vault_kv_mount_name: "secret/" # default + vault_kv_version: 2 # default + path_regex: vault/* + omit_extensions: true The above configuration will place all files under ``s3/*`` into the S3 bucket ``sops-secrets``, all files under ``gcs/*`` into the GCS bucket ``sops-secrets``, and the contents of all files under @@ -1099,30 +1099,30 @@ Below is an example of publishing to Vault (using token auth with a local dev in .. code:: sh - $ export VAULT_TOKEN=... - $ export VAULT_ADDR='http://127.0.0.1:8200' - $ sops -d vault/test.yaml - example_string: bar - example_number: 42 - example_map: - key: value - $ sops publish vault/test.yaml - uploading /home/user/sops_directory/vault/test.yaml to http://127.0.0.1:8200/v1/secret/data/sops/test.yaml ? (y/n): y - $ vault kv get secret/sops/test.yaml - ====== Metadata ====== - Key Value - --- ----- - created_time 2019-07-11T03:32:17.074792017Z - deletion_time n/a - destroyed false - version 3 - - ========= Data ========= - Key Value - --- ----- - example_map map[key:value] - example_number 42 - example_string bar + $ export VAULT_TOKEN=... + $ export VAULT_ADDR='http://127.0.0.1:8200' + $ sops -d vault/test.yaml + example_string: bar + example_number: 42 + example_map: + key: value + $ sops publish vault/test.yaml + uploading /home/user/sops_directory/vault/test.yaml to http://127.0.0.1:8200/v1/secret/data/sops/test.yaml ? (y/n): y + $ vault kv get secret/sops/test.yaml + ====== Metadata ====== + Key Value + --- ----- + created_time 2019-07-11T03:32:17.074792017Z + deletion_time n/a + destroyed false + version 3 + + ========= Data ========= + Key Value + --- ----- + example_map map[key:value] + example_number 42 + example_string bar Important information on types @@ -1142,17 +1142,17 @@ extension after encrypting a file. For example: .. code:: sh - $ sops -e -i myfile.json - $ sops -d myfile.json + $ sops -e -i myfile.json + $ sops -d myfile.json If you want to change the extension of the file once encrypted, you need to provide sops with the ``--input-type`` flag upon decryption. For example: .. code:: sh - $ sops -e myfile.json > myfile.json.enc + $ sops -e myfile.json > myfile.json.enc - $ sops -d --input-type json myfile.json.enc + $ sops -d --input-type json myfile.json.enc When operating on stdin, use the ``--input-type`` and ``--output-type`` flags as follows: @@ -1170,14 +1170,14 @@ This file will not work in ``sops``: .. code:: yaml - bill-to: &id001 - street: | - 123 Tornado Alley - Suite 16 - city: East Centerville - state: KS + bill-to: &id001 + street: | + 123 Tornado Alley + Suite 16 + city: East Centerville + state: KS - ship-to: *id001 + ship-to: *id001 ``sops`` uses the path to a value as additional data in the AEAD encryption, and thus dynamic paths generated by anchors break the authentication step. @@ -1193,10 +1193,10 @@ following multi-document will be encrypted as expected: .. code:: yaml - --- - data: foo - --- - data: bar + --- + data: foo + --- + data: bar Note that the ``sops`` metadata, i.e. the hash, etc, is computed for the physical file rather than each internal "document". @@ -1210,43 +1210,43 @@ This file will not work in sops: .. code:: yaml - --- - - some - - array - - elements + --- + - some + - array + - elements But this one will work because the ``sops`` key can be added at the same level as the ``data`` key. .. code:: yaml - data: - - some - - array - - elements + data: + - some + - array + - elements Similarly, with ``JSON`` arrays, this document will not work: .. code:: json - [ - "some", - "array", - "elements" - ] + [ + "some", + "array", + "elements" + ] But this one will work just fine: .. code:: json - { - "data": [ - "some", - "array", - "elements" - ] - } + { + "data": [ + "some", + "array", + "elements" + ] + } Examples @@ -1261,7 +1261,7 @@ The command below creates a new file with a data key encrypted by KMS and PGP. .. code:: sh - $ sops --kms "arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500" --pgp C9CAB0AF1165060DB58D6D6B2653B624D620786D /path/to/new/file.yaml + $ sops --kms "arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500" --pgp C9CAB0AF1165060DB58D6D6B2653B624D620786D /path/to/new/file.yaml Encrypting an existing file ~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -1272,15 +1272,15 @@ encrypt the file, and redirect the output to a destination file. .. code:: sh - $ export SOPS_KMS_ARN="arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500" - $ export SOPS_PGP_FP="C9CAB0AF1165060DB58D6D6B2653B624D620786D" - $ sops -e /path/to/existing/file.yaml > /path/to/new/encrypted/file.yaml + $ export SOPS_KMS_ARN="arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500" + $ export SOPS_PGP_FP="C9CAB0AF1165060DB58D6D6B2653B624D620786D" + $ sops -e /path/to/existing/file.yaml > /path/to/new/encrypted/file.yaml Decrypt the file with ``-d``. .. code:: sh - $ sops -d /path/to/new/encrypted/file.yaml + $ sops -d /path/to/new/encrypted/file.yaml Encrypt or decrypt a file in place ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -1290,11 +1290,11 @@ original file after encrypting or decrypting it. .. code:: sh - # file.yaml is in cleartext - $ sops -e -i /path/to/existing/file.yaml - # file.yaml is now encrypted - $ sops -d -i /path/to/existing/file.yaml - # file.yaml is back in cleartext + # file.yaml is in cleartext + $ sops -e -i /path/to/existing/file.yaml + # file.yaml is now encrypted + $ sops -d -i /path/to/existing/file.yaml + # file.yaml is back in cleartext Encrypting binary files ~~~~~~~~~~~~~~~~~~~~~~~ @@ -1311,22 +1311,22 @@ In-place encryption/decryption also works on binary files. .. code:: sh - $ dd if=/dev/urandom of=/tmp/somerandom bs=1024 - count=512 - 512+0 records in - 512+0 records out - 524288 bytes (524 kB) copied, 0.0466158 s, 11.2 MB/s + $ dd if=/dev/urandom of=/tmp/somerandom bs=1024 + count=512 + 512+0 records in + 512+0 records out + 524288 bytes (524 kB) copied, 0.0466158 s, 11.2 MB/s - $ sha512sum /tmp/somerandom - 9589bb20280e9d381f7a192000498c994e921b3cdb11d2ef5a986578dc2239a340b25ef30691bac72bdb14028270828dad7e8bd31e274af9828c40d216e60cbe /tmp/somerandom + $ sha512sum /tmp/somerandom + 9589bb20280e9d381f7a192000498c994e921b3cdb11d2ef5a986578dc2239a340b25ef30691bac72bdb14028270828dad7e8bd31e274af9828c40d216e60cbe /tmp/somerandom - $ sops -e -i /tmp/somerandom - please wait while a data encryption key is being generated and stored securely + $ sops -e -i /tmp/somerandom + please wait while a data encryption key is being generated and stored securely - $ sops -d -i /tmp/somerandom + $ sops -d -i /tmp/somerandom - $ sha512sum /tmp/somerandom - 9589bb20280e9d381f7a192000498c994e921b3cdb11d2ef5a986578dc2239a340b25ef30691bac72bdb14028270828dad7e8bd31e274af9828c40d216e60cbe /tmp/somerandom + $ sha512sum /tmp/somerandom + 9589bb20280e9d381f7a192000498c994e921b3cdb11d2ef5a986578dc2239a340b25ef30691bac72bdb14028270828dad7e8bd31e274af9828c40d216e60cbe /tmp/somerandom Extract a sub-part of a document tree ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -1337,16 +1337,16 @@ values, like keys, without needing an extra parser. .. code:: sh - $ sops -d --extract '["app2"]["key"]' ~/git/svc/sops/example.yaml - -----BEGIN RSA PRIVATE KEY----- - MIIBPAIBAAJBAPTMNIyHuZtpLYc7VsHQtwOkWYobkUblmHWRmbXzlAX6K8tMf3Wf - ImcbNkqAKnELzFAPSBeEMhrBN0PyOC9lYlMCAwEAAQJBALXD4sjuBn1E7Y9aGiMz - bJEBuZJ4wbhYxomVoQKfaCu+kH80uLFZKoSz85/ySauWE8LgZcMLIBoiXNhDKfQL - vHECIQD6tCG9NMFWor69kgbX8vK5Y+QL+kRq+9HK6yZ9a+hsLQIhAPn4Ie6HGTjw - fHSTXWZpGSan7NwTkIu4U5q2SlLjcZh/AiEA78NYRRBwGwAYNUqzutGBqyXKUl4u - Erb0xAEyVV7e8J0CIQC8VBY8f8yg+Y7Kxbw4zDYGyb3KkXL10YorpeuZR4LuQQIg - bKGPkMM4w5blyE1tqGN0T7sJwEx+EUOgacRNqM2ljVA= - -----END RSA PRIVATE KEY----- + $ sops -d --extract '["app2"]["key"]' ~/git/svc/sops/example.yaml + -----BEGIN RSA PRIVATE KEY----- + MIIBPAIBAAJBAPTMNIyHuZtpLYc7VsHQtwOkWYobkUblmHWRmbXzlAX6K8tMf3Wf + ImcbNkqAKnELzFAPSBeEMhrBN0PyOC9lYlMCAwEAAQJBALXD4sjuBn1E7Y9aGiMz + bJEBuZJ4wbhYxomVoQKfaCu+kH80uLFZKoSz85/ySauWE8LgZcMLIBoiXNhDKfQL + vHECIQD6tCG9NMFWor69kgbX8vK5Y+QL+kRq+9HK6yZ9a+hsLQIhAPn4Ie6HGTjw + fHSTXWZpGSan7NwTkIu4U5q2SlLjcZh/AiEA78NYRRBwGwAYNUqzutGBqyXKUl4u + Erb0xAEyVV7e8J0CIQC8VBY8f8yg+Y7Kxbw4zDYGyb3KkXL10YorpeuZR4LuQQIg + bKGPkMM4w5blyE1tqGN0T7sJwEx+EUOgacRNqM2ljVA= + -----END RSA PRIVATE KEY----- The tree path syntax uses regular python dictionary syntax, without the variable name. Extract keys by naming them, and array elements by numbering @@ -1354,8 +1354,8 @@ them. .. code:: sh - $ sops -d --extract '["an_array"][1]' ~/git/svc/sops/example.yaml - secretuser2 + $ sops -d --extract '["an_array"][1]' ~/git/svc/sops/example.yaml + secretuser2 Set a sub-part in a document tree ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -1366,7 +1366,7 @@ set specific values, like keys, without needing an editor. .. code:: sh - $ sops --set '["app2"]["key"] "app2keystringvalue"' ~/git/svc/sops/example.yaml + $ sops --set '["app2"]["key"] "app2keystringvalue"' ~/git/svc/sops/example.yaml The tree path syntax uses regular python dictionary syntax, without the variable name. Set to keys by naming them, and array elements by @@ -1374,13 +1374,13 @@ numbering them. .. code:: sh - $ sops --set '["an_array"][1] "secretuser2"' ~/git/svc/sops/example.yaml + $ sops --set '["an_array"][1] "secretuser2"' ~/git/svc/sops/example.yaml The value must be formatted as json. .. code:: sh - $ sops --set '["an_array"][1] {"uid1":null,"uid2":1000,"uid3":["bob"]}' ~/git/svc/sops/example.yaml + $ sops --set '["an_array"][1] {"uid1":null,"uid2":1000,"uid3":["bob"]}' ~/git/svc/sops/example.yaml Showing diffs in cleartext in git ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -1394,18 +1394,18 @@ at the root of your repository that contains a filter and a command. .. code:: text - *.yaml diff=sopsdiffer + *.yaml diff=sopsdiffer Here we only care about YAML files. ``sopsdiffer`` is an arbitrary name that we map to a sops command in the git configuration file of the repository. .. code:: sh - $ git config diff.sopsdiffer.textconv "sops -d" + $ git config diff.sopsdiffer.textconv "sops -d" - $ grep -A 1 sopsdiffer .git/config - [diff "sopsdiffer"] - textconv = "sops -d" + $ grep -A 1 sopsdiffer .git/config + [diff "sopsdiffer"] + textconv = "sops -d" With this in place, calls to ``git diff`` will decrypt both previous and current versions of the target file prior to displaying the diff. And it even works with @@ -1437,7 +1437,7 @@ keys that match the supplied regular expression. For example, this command: .. code:: sh - $ sops --encrypt --encrypted-regex '^(data|stringData)$' k8s-secrets.yaml + $ sops --encrypt --encrypted-regex '^(data|stringData)$' k8s-secrets.yaml will encrypt the values under the ``data`` and ``stringData`` keys in a YAML file containing kubernetes secrets. It will not encrypt other values that help you to @@ -1449,7 +1449,7 @@ that match the supplied regular expression. For example, this command: .. code:: sh - $ sops --encrypt --unencrypted-regex '^(description|metadata)$' k8s-secrets.yaml + $ sops --encrypt --unencrypted-regex '^(description|metadata)$' k8s-secrets.yaml will not encrypt the values under the ``description`` and ``metadata`` keys in a YAML file containing kubernetes secrets, while encrypting everything else. @@ -1472,9 +1472,9 @@ For KMS: sops: kms: - - enc: CiC6yCOtzsnFhkfdIslYZ0bAf//gYLYCmIu87B3sy/5yYxKnAQEBAQB4usgjrc7JxYZH3SLJWGdGwH//4GC2ApiLvOwd7Mv+cmMAAAB+MHwGCSqGSIb3DQEHBqBvMG0CAQAwaAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAyGdRODuYMHbA8Ozj8CARCAO7opMolPJUmBXd39Zlp0L2H9fzMKidHm1vvaF6nNFq0ClRY7FlIZmTm4JfnOebPseffiXFn9tG8cq7oi - enc_ts: 1439568549.245995 - arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e + - enc: CiC6yCOtzsnFhkfdIslYZ0bAf//gYLYCmIu87B3sy/5yYxKnAQEBAQB4usgjrc7JxYZH3SLJWGdGwH//4GC2ApiLvOwd7Mv+cmMAAAB+MHwGCSqGSIb3DQEHBqBvMG0CAQAwaAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAyGdRODuYMHbA8Ozj8CARCAO7opMolPJUmBXd39Zlp0L2H9fzMKidHm1vvaF6nNFq0ClRY7FlIZmTm4JfnOebPseffiXFn9tG8cq7oi + enc_ts: 1439568549.245995 + arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e For PGP: @@ -1482,27 +1482,27 @@ For PGP: sops: pgp: - - fp: 85D77543B3D624B63CEA9E6DBC17301B491B3F21 - created_at: 1441570391.930042 - enc: | - -----BEGIN PGP MESSAGE----- - Version: GnuPG v1 - - hQIMA0t4uZHfl9qgAQ//UvGAwGePyHuf2/zayWcloGaDs0MzI+zw6CmXvMRNPUsA - pAgRKczJmDu4+XzN+cxX5Iq9xEWIbny9B5rOjwTXT3qcUYZ4Gkzbq4MWkjuPp/Iv - qO4MJaYzoH5YxC4YORQ2LvzhA2YGsCzYnljmatGEUNg01yJ6r5mwFwDxl4Nc80Cn - RwnHuGExK8j1jYJZu/juK1qRbuBOAuruIPPWVdFB845PA7waacG1IdUW3ZtBkOy3 - O0BIfG2ekRg0Nik6sTOhDUA+l2bewCcECI8FYCEjwHm9Sg5cxmP2V5m1mby+uKAm - kewaoOyjbmV1Mh3iI1b/AQMr+/6ZE9MT2KnsoWosYamFyjxV5r1ZZM7cWKnOT+tu - KOvGhTV1TeOfVpajNTNwtV/Oyh3mMLQ0F0HgCTqomQVqw5+sj7OWAASuD3CU/dyo - pcmY5Qe0TNL1JsMNEH8LJDqSh+E0hsUxdY1ouVsg3ysf6mdM8ciWb3WRGxih1Vmf - unfLy8Ly3V7ZIC8EHV8aLJqh32jIZV4i2zXIoO4ZBKrudKcECY1C2+zb/TziVAL8 - qyPe47q8gi1rIyEv5uirLZjgpP+JkDUgoMnzlX334FZ9pWtQMYW4Y67urAI4xUq6 - /q1zBAeHoeeeQK+YKDB7Ak/Y22YsiqQbNp2n4CKSKAE4erZLWVtDvSp+49SWmS/S - XgGi+13MaXIp0ecPKyNTBjF+NOw/I3muyKr8EbDHrd2XgIT06QXqjYLsCb1TZ0zm - xgXsOTY3b+ONQ2zjhcovanDp7/k77B+gFitLYKg4BLZsl7gJB12T8MQnpfSmRT4= - =oJgS - -----END PGP MESSAGE----- + - fp: 85D77543B3D624B63CEA9E6DBC17301B491B3F21 + created_at: 1441570391.930042 + enc: | + -----BEGIN PGP MESSAGE----- + Version: GnuPG v1 + + hQIMA0t4uZHfl9qgAQ//UvGAwGePyHuf2/zayWcloGaDs0MzI+zw6CmXvMRNPUsA + pAgRKczJmDu4+XzN+cxX5Iq9xEWIbny9B5rOjwTXT3qcUYZ4Gkzbq4MWkjuPp/Iv + qO4MJaYzoH5YxC4YORQ2LvzhA2YGsCzYnljmatGEUNg01yJ6r5mwFwDxl4Nc80Cn + RwnHuGExK8j1jYJZu/juK1qRbuBOAuruIPPWVdFB845PA7waacG1IdUW3ZtBkOy3 + O0BIfG2ekRg0Nik6sTOhDUA+l2bewCcECI8FYCEjwHm9Sg5cxmP2V5m1mby+uKAm + kewaoOyjbmV1Mh3iI1b/AQMr+/6ZE9MT2KnsoWosYamFyjxV5r1ZZM7cWKnOT+tu + KOvGhTV1TeOfVpajNTNwtV/Oyh3mMLQ0F0HgCTqomQVqw5+sj7OWAASuD3CU/dyo + pcmY5Qe0TNL1JsMNEH8LJDqSh+E0hsUxdY1ouVsg3ysf6mdM8ciWb3WRGxih1Vmf + unfLy8Ly3V7ZIC8EHV8aLJqh32jIZV4i2zXIoO4ZBKrudKcECY1C2+zb/TziVAL8 + qyPe47q8gi1rIyEv5uirLZjgpP+JkDUgoMnzlX334FZ9pWtQMYW4Y67urAI4xUq6 + /q1zBAeHoeeeQK+YKDB7Ak/Y22YsiqQbNp2n4CKSKAE4erZLWVtDvSp+49SWmS/S + XgGi+13MaXIp0ecPKyNTBjF+NOw/I3muyKr8EbDHrd2XgIT06QXqjYLsCb1TZ0zm + xgXsOTY3b+ONQ2zjhcovanDp7/k77B+gFitLYKg4BLZsl7gJB12T8MQnpfSmRT4= + =oJgS + -----END PGP MESSAGE----- ``sops`` then opens a text editor on the newly created file. The user adds data to the file and saves it when done. @@ -1649,7 +1649,7 @@ when creating a new file: .. code:: sh - $ sops --pgp "E60892BB9BD89A69F759A1A0A3D652173B763E8F,84050F1D61AF7C230A12217687DF65059EF093D3,85D77543B3D624B63CEA9E6DBC17301B491B3F21" mynewfile.yaml + $ sops --pgp "E60892BB9BD89A69F759A1A0A3D652173B763E8F,84050F1D61AF7C230A12217687DF65059EF093D3,85D77543B3D624B63CEA9E6DBC17301B491B3F21" mynewfile.yaml Threat Model ------------ @@ -1730,7 +1730,7 @@ Credits ------- `sops` was inspired by `hiera-eyaml `_, -`credstash `_ , +`credstash `_, `sneaker `_, `password store `_ and too many years managing PGP encrypted files by hand... From 292cde5f200bcac3956998281ab3d1f348be668f Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Tue, 10 Oct 2023 07:27:21 +0200 Subject: [PATCH 112/135] Normalize SOPS usages. Signed-off-by: Felix Fontein --- README.rst | 152 ++++++++++++++++++++++++++--------------------------- 1 file changed, 76 insertions(+), 76 deletions(-) diff --git a/README.rst b/README.rst index 38cf786d1..d9bffb04f 100644 --- a/README.rst +++ b/README.rst @@ -1,7 +1,7 @@ SOPS: Secrets OPerationS ======================== -**sops** is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY +**SOPS** is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. (`demo `_) @@ -43,7 +43,7 @@ If you don't have Go installed, set it up with: Or whatever variation of the above fits your system and shell. -To use **sops** as a library, take a look at the `decrypt package `_. +To use **SOPS** as a library, take a look at the `decrypt package `_. .. sectnum:: .. contents:: Table of Contents @@ -51,7 +51,7 @@ To use **sops** as a library, take a look at the `decrypt package `_ for @@ -156,11 +156,11 @@ To decrypt a file in a ``cat`` fashion, use the ``-d`` flag: $ sops -d mynewtestfile.yaml -``sops`` encrypted files contain the necessary information to decrypt their content. -All a user of ``sops`` needs is valid AWS credentials and the necessary +SOPS encrypted files contain the necessary information to decrypt their content. +All a user of SOPS needs is valid AWS credentials and the necessary permissions on KMS keys. -Given that, the only command a ``sops`` user needs is: +Given that, the only command a SOPS user needs is: .. code:: sh @@ -173,7 +173,7 @@ steps, apart from the actual editing, are transparent to the user. Test with the dev PGP key ~~~~~~~~~~~~~~~~~~~~~~~~~ -If you want to test **sops** without having to do a bunch of setup, you can use +If you want to test **SOPS** without having to do a bunch of setup, you can use the example files and pgp key provided with the repository:: $ git clone https://github.com/getsops/sops.git @@ -197,7 +197,7 @@ the ``--age`` option or the **SOPS_AGE_RECIPIENTS** environment variable: $ sops --encrypt --age age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw test.yaml > test.enc.yaml -When decrypting a file with the corresponding identity, sops will look for a +When decrypting a file with the corresponding identity, SOPS will look for a text file name ``keys.txt`` located in a ``sops`` subdirectory of your user configuration directory. On Linux, this would be ``$XDG_CONFIG_HOME/sops/age/keys.txt``. On macOS, this would be ``$HOME/Library/Application Support/sops/age/keys.txt``. On @@ -210,7 +210,7 @@ The contents of this key file should be a list of age X25519 identities, one per line. Lines beginning with ``#`` are considered comments and ignored. Each identity will be tried in sequence until one is able to decrypt the data. -Encrypting with SSH keys via age is not yet supported by sops. +Encrypting with SSH keys via age is not yet supported by SOPS. Encrypting using GCP KMS @@ -360,7 +360,7 @@ To easily deploy Vault locally: (DO NOT DO THIS FOR PRODUCTION!!!) Cluster ID e532e461-e8f0-1352-8a41-fc7c11096908 HA Enabled false - $ # It is required to enable a transit engine if not already done (It is suggested to create a transit engine specifically for sops, in which it is possible to have multiple keys with various permission levels) + $ # It is required to enable a transit engine if not already done (It is suggested to create a transit engine specifically for SOPS, in which it is possible to have multiple keys with various permission levels) $ vault secrets enable -path=sops transit Success! Enabled the transit secrets engine at: sops/ @@ -389,7 +389,7 @@ To easily deploy Vault locally: (DO NOT DO THIS FOR PRODUCTION!!!) Adding and removing keys ~~~~~~~~~~~~~~~~~~~~~~~~ -When creating new files, ``sops`` uses the PGP, KMS and GCP KMS defined in the +When creating new files, SOPS uses the PGP, KMS and GCP KMS defined in the command line arguments ``--kms``, ``--pgp``, ``--gcp-kms`` or ``--azure-kv``, or from the environment variables ``SOPS_KMS_ARN``, ``SOPS_PGP_FP``, ``SOPS_GCP_KMS_IDS``, ``SOPS_AZURE_KEYVAULT_URLS``. That information is stored in the file under the @@ -405,7 +405,7 @@ three ways: 3. By editing the file directly. -The sops team recommends the ``updatekeys`` approach. +The SOPS team recommends the ``updatekeys`` approach. ``updatekeys`` command @@ -428,7 +428,7 @@ separated list. $ sops updatekeys test.enc.yaml -Sops will prompt you with the changes to be made. This interactivity can be +SOPS will prompt you with the changes to be made. This interactivity can be disabled by supplying the ``-y`` flag. Command Line @@ -457,8 +457,8 @@ Direct Editing ************** Alternatively, invoking ``sops`` with the flag **-s** will display the master keys -while editing. This method can be used to add or remove kms or pgp keys under the -sops section. Invoking ``sops`` with the **-i** flag will perform an in-place edit +while editing. This method can be used to add or remove ``kms`` or ``pgp`` keys under the +``sops`` section. Invoking ``sops`` with the **-i** flag will perform an in-place edit instead of redirecting output to ``stdout``. For example, to add a KMS master key to a file, add the following entry while @@ -478,7 +478,7 @@ And, similarly, to add a PGP master key, we add its fingerprint: pgp: - fp: 85D77543B3D624B63CEA9E6DBC17301B491B3F21 -When the file is saved, ``sops`` will update its metadata and encrypt the data key +When the file is saved, SOPS will update its metadata and encrypt the data key with the freshly added master keys. The removed entries are simply deleted from the file. @@ -520,7 +520,7 @@ the user is allowed to assume in each account. The `IAM roles `_ documentation has full details on how this needs to be configured on AWS's side. -From the point of view of ``sops``, you only need to specify the role a KMS key +From the point of view of SOPS, you only need to specify the role a KMS key must assume alongside its ARN, as follows: .. code:: yaml @@ -601,8 +601,8 @@ roles that can only access a given context. An example policy is shown below: Key Rotation ~~~~~~~~~~~~ -It is recommended to renew the data key on a regular basis. ``sops`` supports key -rotation via the ``-r`` flag. Invoking it on an existing file causes sops to +It is recommended to renew the data key on a regular basis. SOPS supports key +rotation via the ``-r`` flag. Invoking it on an existing file causes SOPS to reencrypt the file with a new data key, which is then encrypted with the various KMS and PGP master keys defined in the file. @@ -657,14 +657,14 @@ can manage the three sets of configurations for the three types of files: pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4' When creating any file under **mysecretrepo**, whether at the root or under -a subdirectory, sops will recursively look for a ``.sops.yaml`` file. If one is +a subdirectory, SOPS will recursively look for a ``.sops.yaml`` file. If one is found, the filename of the file being created is compared with the filename regexes of the configuration file. The first regex that matches is selected, and its KMS and PGP keys are used to encrypt the file. It should be noted that the looking up of ``.sops.yaml`` is from the working directory (CWD) instead of the directory of the encrypting file (see `Issue 242 `_). -The path_regex checks the path of the encrypting file relative to the .sops.yaml config file. Here is another example: +The ``path_regex`` checks the path of the encrypting file relative to the ``.sops.yaml`` config file. Here is another example: * files located under directory **development** should use one set of KMS A * files located under directory **production** should use another set of KMS B @@ -695,12 +695,12 @@ Creating a new file with the right keys is now as simple as $ sops .prod.yaml Note that the configuration file is ignored when KMS or PGP parameters are -passed on the sops command line or in environment variables. +passed on the SOPS command line or in environment variables. Specify a different GPG executable ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -``sops`` checks for the ``SOPS_GPG_EXEC`` environment variable. If specified, +SOPS checks for the ``SOPS_GPG_EXEC`` environment variable. If specified, it will attempt to use the executable set there instead of the default of ``gpg``. @@ -714,7 +714,7 @@ Example: place the following in your ``~/.bashrc`` Specify a different GPG key server ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -By default, ``sops`` uses the key server ``keys.openpgp.org`` to retrieve the GPG +By default, SOPS uses the key server ``keys.openpgp.org`` to retrieve the GPG keys that are not present in the local keyring. This is no longer configurable. You can learn more about why from this write-up: `SKS Keyserver Network Under Attack `_. @@ -722,19 +722,19 @@ This is no longer configurable. You can learn more about why from this write-up: Key groups ~~~~~~~~~~ -By default, ``sops`` encrypts the data key for a file with each of the master keys, +By default, SOPS encrypts the data key for a file with each of the master keys, such that if any of the master keys is available, the file can be decrypted. However, it is sometimes desirable to require access to multiple master keys in order to decrypt files. This can be achieved with key groups. -When using key groups in sops, data keys are split into parts such that keys from -multiple groups are required to decrypt a file. ``sops`` uses Shamir's Secret Sharing +When using key groups in SOPS, data keys are split into parts such that keys from +multiple groups are required to decrypt a file. SOPS uses Shamir's Secret Sharing to split the data key such that each key group has a fragment, each key in the key group can decrypt that fragment, and a configurable number of fragments (threshold) are needed to decrypt and piece together the complete data key. When decrypting a -file using multiple key groups, ``sops`` goes through key groups in order, and in +file using multiple key groups, SOPS goes through key groups in order, and in each group, tries to recover the fragment of the data key using a master key from -that group. Once the fragment is recovered, ``sops`` moves on to the next group, +that group. Once the fragment is recovered, SOPS moves on to the next group, until enough fragments have been recovered to obtain the complete data key. By default, the threshold is set to the number of key groups. For example, if @@ -789,7 +789,7 @@ like so: Given this configuration, we can create a new encrypted file like we normally would, and optionally provide the ``--shamir-secret-sharing-threshold`` command line -flag if we want to override the default threshold. ``sops`` will then split the data +flag if we want to override the default threshold. SOPS will then split the data key into three parts (from the number of key groups) and encrypt each fragment with the master keys found in each group. @@ -842,9 +842,9 @@ You can then decrypt the file the same way as with any other SOPS file: Key service ~~~~~~~~~~~ -There are situations where you might want to run ``sops`` on a machine that +There are situations where you might want to run SOPS on a machine that doesn't have direct access to encryption keys such as PGP keys. The ``sops`` key -service allows you to forward a socket so that ``sops`` can access encryption +service allows you to forward a socket so that SOPS can access encryption keys stored on a remote machine. This is similar to GPG Agent, but more portable. @@ -934,13 +934,13 @@ provide more than one backend, and SOPS will log to all of them: Saving Output to a File ~~~~~~~~~~~~~~~~~~~~~~~ -By default ``sops`` just dumps all the output to the standard output. We can use the +By default SOPS just dumps all the output to the standard output. We can use the ``--output`` flag followed by a filename to save the output to the file specified. Beware using both ``--in-place`` and ``--output`` flags will result in an error. Passing Secrets to Other Processes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -In addition to writing secrets to standard output and to files on disk, ``sops`` +In addition to writing secrets to standard output and to files on disk, SOPS has two commands for passing decrypted secrets to a new process: ``exec-env`` and ``exec-file``. These commands will place all output into the environment of a child process and into a temporary file, respectively. For example, if a @@ -975,13 +975,13 @@ written to disk. If the command you want to run only operates on files, you can use ``exec-file`` -instead. By default ``sops`` will use a FIFO to pass the contents of the +instead. By default SOPS will use a FIFO to pass the contents of the decrypted file to the new program. Using a FIFO, secrets are only passed in memory which has two benefits: the plaintext secrets never touch the disk, and the child process can only read the secrets once. In contexts where this won't work, eg platforms like Windows where FIFOs unavailable or secret files that need to be available to the child process longer term, the ``--no-fifo`` flag can be -used to instruct ``sops`` to use a traditional temporary file that will get cleaned +used to instruct SOPS to use a traditional temporary file that will get cleaned up once the process is finished executing. ``exec-file`` behaves similar to ``find(1)`` in that ``{}`` is used as a placeholder in the command which will be substituted with the temporary file path (whether a FIFO or an actual file). @@ -1043,7 +1043,7 @@ To overwrite the default file name (``tmp-file``) in ``exec-file`` use the Using the publish command ~~~~~~~~~~~~~~~~~~~~~~~~~ -``sops publish $file`` publishes a file to a pre-configured destination (this lives in the sops +``sops publish $file`` publishes a file to a pre-configured destination (this lives in the SOPS config file). Additionally, support re-encryption rules that work just like the creation rules. This command requires a ``.sops.yaml`` configuration file. Below is an example: @@ -1085,7 +1085,7 @@ There are a few settings for Vault that you can place in your destination rules. is ``vault_path``, which is required. The others are optional, and they are ``vault_address``, ``vault_kv_mount_name``, ``vault_kv_version``. -``sops`` uses the official Vault API provided by Hashicorp, which makes use of `environment +SOPS uses the official Vault API provided by Hashicorp, which makes use of `environment variables `_ for configuring the client. @@ -1131,7 +1131,7 @@ Important information on types YAML and JSON type extensions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -``sops`` uses the file extension to decide which encryption method to use on the file +SOPS uses the file extension to decide which encryption method to use on the file content. ``YAML``, ``JSON``, ``ENV``, and ``INI`` files are treated as trees of data, and key/values are extracted from the files to only encrypt the leaf values. The tree structure is also used to check the integrity of the file. @@ -1146,7 +1146,7 @@ extension after encrypting a file. For example: $ sops -d myfile.json If you want to change the extension of the file once encrypted, you need to provide -sops with the ``--input-type`` flag upon decryption. For example: +SOPS with the ``--input-type`` flag upon decryption. For example: .. code:: sh @@ -1162,11 +1162,11 @@ When operating on stdin, use the ``--input-type`` and ``--output-type`` flags as YAML anchors ~~~~~~~~~~~~ -``sops`` only supports a subset of ``YAML``'s many types. Encrypting YAML files that +SOPS only supports a subset of ``YAML``'s many types. Encrypting YAML files that contain strings, numbers and booleans will work fine, but files that contain anchors will not work, because the anchors redefine the structure of the file at load time. -This file will not work in ``sops``: +This file will not work in SOPS: .. code:: yaml @@ -1179,7 +1179,7 @@ This file will not work in ``sops``: ship-to: *id001 -``sops`` uses the path to a value as additional data in the AEAD encryption, and thus +SOPS uses the path to a value as additional data in the AEAD encryption, and thus dynamic paths generated by anchors break the authentication step. JSON and TEXT file types do not support anchors and thus have no such limitation. @@ -1188,7 +1188,7 @@ YAML Streams ~~~~~~~~~~~~ ``YAML`` supports having more than one "document" in a single file, while -formats like ``JSON`` do not. ``sops`` is able to handle both. This means the +formats like ``JSON`` do not. SOPS is able to handle both. This means the following multi-document will be encrypted as expected: .. code:: yaml @@ -1203,10 +1203,10 @@ file rather than each internal "document". Top-level arrays ~~~~~~~~~~~~~~~~ -``YAML`` and ``JSON`` top-level arrays are not supported, because ``sops`` +``YAML`` and ``JSON`` top-level arrays are not supported, because SOPS needs a top-level ``sops`` key to store its metadata. -This file will not work in sops: +This file will not work in SOPS: .. code:: yaml @@ -1252,7 +1252,7 @@ But this one will work just fine: Examples -------- -Take a look into the `examples folder `_ for detailed use cases of sops in a CI environment. The section below describes specific tips for common use cases. +Take a look into the `examples folder `_ for detailed use cases of SOPS in a CI environment. The section below describes specific tips for common use cases. Creating a new file ~~~~~~~~~~~~~~~~~~~ @@ -1266,8 +1266,8 @@ The command below creates a new file with a data key encrypted by KMS and PGP. Encrypting an existing file ~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Similar to the previous command, we tell sops to use one KMS and one PGP key. -The path points to an existing cleartext file, so we give sops flag ``-e`` to +Similar to the previous command, we tell SOPS to use one KMS and one PGP key. +The path points to an existing cleartext file, so we give SOPS flag ``-e`` to encrypt the file, and redirect the output to a destination file. .. code:: sh @@ -1285,7 +1285,7 @@ Decrypt the file with ``-d``. Encrypt or decrypt a file in place ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Rather than redirecting the output of ``-e`` or ``-d``, sops can replace the +Rather than redirecting the output of ``-e`` or ``-d``, SOPS can replace the original file after encrypting or decrypting it. .. code:: sh @@ -1299,8 +1299,8 @@ original file after encrypting or decrypting it. Encrypting binary files ~~~~~~~~~~~~~~~~~~~~~~~ -``sops`` primary use case is encrypting YAML and JSON configuration files, but it -also has the ability to manage binary files. When encrypting a binary, sops will +SOPS primary use case is encrypting YAML and JSON configuration files, but it +also has the ability to manage binary files. When encrypting a binary, SOPS will read the data as bytes, encrypt it, store the encrypted base64 under ``tree['data']`` and write the result as JSON. @@ -1331,7 +1331,7 @@ In-place encryption/decryption also works on binary files. Extract a sub-part of a document tree ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -``sops`` can extract a specific part of a YAML or JSON document, by provided the +SOPS can extract a specific part of a YAML or JSON document, by provided the path in the ``--extract`` command line flag. This is useful to extract specific values, like keys, without needing an extra parser. @@ -1360,7 +1360,7 @@ them. Set a sub-part in a document tree ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -``sops`` can set a specific part of a YAML or JSON document, by providing +SOPS can set a specific part of a YAML or JSON document, by providing the path and value in the ``--set`` command line flag. This is useful to set specific values, like keys, without needing an editor. @@ -1386,10 +1386,10 @@ Showing diffs in cleartext in git ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You most likely want to store encrypted files in a version controlled repository. -Sops can be used with git to decrypt files when showing diffs between versions. +SOPS can be used with git to decrypt files when showing diffs between versions. This is very handy for reviewing changes or visualizing history. -To configure sops to decrypt files during diff, create a ``.gitattributes`` file +To configure SOPS to decrypt files during diff, create a ``.gitattributes`` file at the root of your repository that contains a filter and a command. .. code:: text @@ -1397,7 +1397,7 @@ at the root of your repository that contains a filter and a command. *.yaml diff=sopsdiffer Here we only care about YAML files. ``sopsdiffer`` is an arbitrary name that we map -to a sops command in the git configuration file of the repository. +to a SOPS command in the git configuration file of the repository. .. code:: sh @@ -1416,14 +1416,14 @@ Encrypting only parts of a file Note: this only works on YAML and JSON files, not on BINARY files. -By default, ``sops`` encrypts all the values of a YAML or JSON file and leaves the +By default, SOPS encrypts all the values of a YAML or JSON file and leaves the keys in cleartext. In some instances, you may want to exclude some values from being encrypted. This can be accomplished by adding the suffix **_unencrypted** to any key of a file. When set, all values underneath the key that set the **_unencrypted** suffix will be left in cleartext. Note that, while in cleartext, unencrypted content is still added to the -checksum of the file, and thus cannot be modified outside of sops without +checksum of the file, and thus cannot be modified outside of SOPS without breaking the file integrity check. The unencrypted suffix can be set to a different value using the @@ -1462,7 +1462,7 @@ mutually exclusive and cannot all be used in the same file. Encryption Protocol ------------------- -When sops creates a file, it generates a random 256 bit data key and asks each +When SOPS creates a file, it generates a random 256 bit data key and asks each KMS and PGP master key to encrypt the data key. The encrypted version of the data key is stored in the ``sops`` metadata under ``sops.kms`` and ``sops.pgp``. @@ -1504,10 +1504,10 @@ For PGP: =oJgS -----END PGP MESSAGE----- -``sops`` then opens a text editor on the newly created file. The user adds data to the +SOPS then opens a text editor on the newly created file. The user adds data to the file and saves it when done. -Upon save, sops browses the entire file as a key/value tree. Every time sops +Upon save, SOPS browses the entire file as a key/value tree. Every time SOPS encounters a leaf value (a value that does not have children), it encrypts the value with AES256_GCM using the data key and a 256 bit random initialization vector. @@ -1525,7 +1525,7 @@ Any valid KMS or PGP master key can later decrypt the data key and access the data. Multiple master keys allow for sharing encrypted files without sharing master -keys, and provide a disaster recovery solution. The recommended way to use sops +keys, and provide a disaster recovery solution. The recommended way to use SOPS is to have two KMS master keys in different regions and one PGP public key with the private key stored offline. If, by any chance, both KMS master keys are lost, you can always recover the encrypted data using the PGP private key. @@ -1534,9 +1534,9 @@ Message Authentication Code ~~~~~~~~~~~~~~~~~~~~~~~~~~~ In addition to authenticating branches of the tree using keys as additional -data, sops computes a MAC on all the values to ensure that no value has been +data, SOPS computes a MAC on all the values to ensure that no value has been added or removed fraudulently. The MAC is stored encrypted with AES_GCM and -the data key under tree->`sops`->`mac`. +the data key under tree -> ``sops`` -> ``mac``. Motivation ---------- @@ -1644,7 +1644,7 @@ all our KMS master keys. SOPS can be used without KMS entirely, the same way you would use an encrypted PGP file: by referencing the pubkeys of each individual who has access to the file. -It can easily be done by providing sops with a comma-separated list of public keys +It can easily be done by providing SOPS with a comma-separated list of public keys when creating a new file: .. code:: sh @@ -1654,7 +1654,7 @@ when creating a new file: Threat Model ------------ -The security of the data stored using sops is as strong as the weakest +The security of the data stored using SOPS is as strong as the weakest cryptographic mechanism. Values are encrypted using AES256_GCM which is the strongest symmetric encryption algorithm known today. Data keys are encrypted in either KMS, which also uses AES256_GCM, or PGP which uses either RSA or @@ -1666,7 +1666,7 @@ Compromised AWS credentials grant access to KMS master key ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ An attacker with access to an AWS console can grant itself access to one of -the KMS master keys used to encrypt a sops data key. This threat should be +the KMS master keys used to encrypt a ``sops`` data key. This threat should be mitigated by protecting AWS accesses with strong controls, such as multi-factor authentication, and also by performing regular audits of permissions granted to AWS users. @@ -1676,29 +1676,29 @@ Compromised PGP key PGP keys are routinely mishandled, either because owners copy them from machine to machine, or because the key is left forgotten on an unused machine -an attacker gains access to. When using PGP encryption, sops users should take +an attacker gains access to. When using PGP encryption, SOPS users should take special care of PGP private keys, and store them on smart cards or offline as often as possible. Factorized RSA key ~~~~~~~~~~~~~~~~~~ -sops doesn't apply any restriction on the size or type of PGP keys. A weak PGP +SOPS doesn't apply any restriction on the size or type of PGP keys. A weak PGP keys, for example 512 bits RSA, could be factorized by an attacker to gain -access to the private key and decrypt the data key. Users of sops should rely +access to the private key and decrypt the data key. Users of SOPS should rely on strong keys, such as 2048+ bits RSA keys, or 256+ bits ECDSA keys. Weak AES cryptography ~~~~~~~~~~~~~~~~~~~~~ A vulnerability in AES256_GCM could potentially leak the data key or the KMS -master key used by a sops encrypted file. While no such vulnerability exists +master key used by a SOPS encrypted file. While no such vulnerability exists today, we recommend that users keep their encrypted files reasonably private. Backward compatibility ---------------------- -``sops`` will remain backward compatible on the major version, meaning that all +SOPS will remain backward compatible on the major version, meaning that all improvements brought to the 1.X and 2.X branches (current) will maintain the file format introduced in **1.0**. @@ -1729,7 +1729,7 @@ and had not been possible without the contributions of numerous `contributors `_, +SOPS was inspired by `hiera-eyaml `_, `credstash `_, `sneaker `_, `password store `_ and too many years managing From ee4cdbddb4b964ad1c23913f4ec11c7ab201ea34 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Tue, 10 Oct 2023 22:41:34 +0200 Subject: [PATCH 113/135] Change some SOPSs back to sops. Signed-off-by: Felix Fontein --- README.rst | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/README.rst b/README.rst index d9bffb04f..c6a40453b 100644 --- a/README.rst +++ b/README.rst @@ -96,7 +96,7 @@ separated, in the **SOPS_PGP_FP** env variable. Note: you can use both PGP and KMS simultaneously. -Then simply call SOPS with a file path as argument. It will handle the +Then simply call ``sops`` with a file path as argument. It will handle the encryption/decryption transparently and open the cleartext file in an editor .. code:: sh @@ -389,7 +389,7 @@ To easily deploy Vault locally: (DO NOT DO THIS FOR PRODUCTION!!!) Adding and removing keys ~~~~~~~~~~~~~~~~~~~~~~~~ -When creating new files, SOPS uses the PGP, KMS and GCP KMS defined in the +When creating new files, ``sops`` uses the PGP, KMS and GCP KMS defined in the command line arguments ``--kms``, ``--pgp``, ``--gcp-kms`` or ``--azure-kv``, or from the environment variables ``SOPS_KMS_ARN``, ``SOPS_PGP_FP``, ``SOPS_GCP_KMS_IDS``, ``SOPS_AZURE_KEYVAULT_URLS``. That information is stored in the file under the @@ -601,8 +601,8 @@ roles that can only access a given context. An example policy is shown below: Key Rotation ~~~~~~~~~~~~ -It is recommended to renew the data key on a regular basis. SOPS supports key -rotation via the ``-r`` flag. Invoking it on an existing file causes SOPS to +It is recommended to renew the data key on a regular basis. ``sops`` supports key +rotation via the ``-r`` flag. Invoking it on an existing file causes ``sops`` to reencrypt the file with a new data key, which is then encrypted with the various KMS and PGP master keys defined in the file. @@ -1146,7 +1146,7 @@ extension after encrypting a file. For example: $ sops -d myfile.json If you want to change the extension of the file once encrypted, you need to provide -SOPS with the ``--input-type`` flag upon decryption. For example: +``sops`` with the ``--input-type`` flag upon decryption. For example: .. code:: sh @@ -1267,7 +1267,7 @@ Encrypting an existing file ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Similar to the previous command, we tell SOPS to use one KMS and one PGP key. -The path points to an existing cleartext file, so we give SOPS flag ``-e`` to +The path points to an existing cleartext file, so we give ``sops`` the flag ``-e`` to encrypt the file, and redirect the output to a destination file. .. code:: sh @@ -1285,7 +1285,7 @@ Decrypt the file with ``-d``. Encrypt or decrypt a file in place ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Rather than redirecting the output of ``-e`` or ``-d``, SOPS can replace the +Rather than redirecting the output of ``-e`` or ``-d``, ``sops`` can replace the original file after encrypting or decrypting it. .. code:: sh From 30712747f87af77ed36b6ebfacc71aaea3ab41d1 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sat, 16 Sep 2023 11:26:34 +0200 Subject: [PATCH 114/135] Add workflow for rstcheck and mdl. Signed-off-by: Felix Fontein --- .github/workflows/docs.yml | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/docs.yml diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml new file mode 100644 index 000000000..14f11280e --- /dev/null +++ b/.github/workflows/docs.yml @@ -0,0 +1,38 @@ +name: "Docs" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + # Only consider changes to documentation + paths: + - '**/*.md' + - '**/*.rst' + - '**/*.txt' + schedule: + - cron: '25 6 * * 3' + +permissions: + contents: read + +jobs: + documentation: + name: Lint RST and MD files + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + + - name: Install rstcheck + run: pip install rstcheck + + - name: Run rstcheck on all RST files + run: rstcheck $(find -name '*.rst') + + - name: Install markdownlint + run: sudo gem install mdl + + - name: Run mdl on all MD files + run: mdl $(find -name '*.md') From 6c75c3b2d6a62620cb726c87506aedd0b978fbb4 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sat, 16 Sep 2023 22:38:17 +0200 Subject: [PATCH 115/135] Add checkdocs, checkrst, and checkmd make targets. Signed-off-by: Felix Fontein --- .github/workflows/docs.yml | 13 ++++++------- Makefile | 19 +++++++++++++++++++ 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 14f11280e..fc3916fe0 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -25,14 +25,13 @@ jobs: - name: Checkout code uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - - name: Install rstcheck - run: pip install rstcheck + - name: Install rstcheck and markdownlint + run: | + pip install rstcheck + sudo gem install mdl - name: Run rstcheck on all RST files - run: rstcheck $(find -name '*.rst') - - - name: Install markdownlint - run: sudo gem install mdl + run: make checkrst - name: Run mdl on all MD files - run: mdl $(find -name '*.md') + run: make checkmd diff --git a/Makefile b/Makefile index a8e417941..d0e22c059 100644 --- a/Makefile +++ b/Makefile @@ -20,6 +20,9 @@ SYFT_VERSION ?= v0.87.0 GORELEASER := $(BIN_DIR)/goreleaser GORELEASER_VERSION ?= v1.20.0 +RSTCHECK := $(shell command -v rstcheck) +MARKDOWNLINT := $(shell command -v mdl) + export PATH := $(BIN_DIR):$(PATH) .PHONY: all @@ -45,6 +48,22 @@ vendor: vet: $(GO) vet ./... + +.PHONY: checkdocs +checkdocs: checkrst checkmd + +.PHONY: checkrst +RST_FILES=$(shell find . -name '*.rst' | grep -v /vendor/ | sort) +checkrst: $(RST_FILES) + @if [ "$(RSTCHECK)" == "" ]; then echo "Need rstcheck to lint RST files. Install rstcheck from your system package repository or from PyPI (https://pypi.org/project/rstcheck/)."; exit 1; fi + $(RSTCHECK) --report-level warning $^ + +.PHONY: checkmd +MD_FILES=$(shell find . -name '*.md' | grep -v /vendor/ | sort) +checkmd: $(MD_FILES) + @if [ "$(MARKDOWNLINT)" == "" ]; then echo "Need markdownlint to lint RST files. Install markdownlint from your system package repository or from https://github.com/markdownlint/markdownlint."; exit 1; fi + $(MARKDOWNLINT) $^ + .PHONY: test test: vendor gpg --import pgp/sops_functional_tests_key.asc 2>&1 1>/dev/null || exit 0 From d55ba79333ad2a59dd0eeef5cad2f76de6f78302 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sat, 16 Sep 2023 22:38:30 +0200 Subject: [PATCH 116/135] Add section in CONTRIBUTING.md on docs changes. Signed-off-by: Felix Fontein --- CONTRIBUTING.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 885e14376..947dcfd48 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -9,6 +9,11 @@ and instructions if you are thinking of helping with the development of SOPS. how to install Go [here](https://go.dev/doc/install) - Clone the Git repository and switch into SOPS's directory. - Run the tests with `make test`. They should all pass. +- If you modify documentation (RST or MD files), run `make checkdocs` to run + [rstcheck](https://pypi.org/project/rstcheck/) and + [markdownlint](https://github.com/markdownlint/markdownlint). These should also + pass. If you need help in fixing issues, create a pull request (see below) and + ask for help. - Fork the project on GitHub. - Add your fork to Git's remotes: - If you use SSH authentication: From 59d85b8c183134057a18e26da49e326760127b50 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 10 Oct 2023 23:57:40 +0200 Subject: [PATCH 117/135] Update dependencies - github.com/Azure/azure-sdk-for-go/sdk/azidentity to v1.4.0 - github.com/ProtonMail/go-crypto to v0.0.0-20230923063757-afb1ddc0824c - github.com/google/go-cmp to v0.6.0 - golang.org/x/net to v0.17.0 - google.golang.org/api to v0.146.0 - google.golang.org/genproto/googleapis/rpc to v0.0.0-20231009173412-8bfb1ae86b6c - google.golang.org/grpc to v1.58.3 Signed-off-by: Hidde Beydals --- go.mod | 22 +++++++++++----------- go.sum | 44 ++++++++++++++++++++++---------------------- 2 files changed, 33 insertions(+), 33 deletions(-) diff --git a/go.mod b/go.mod index b6511f7f4..4f6ee5383 100644 --- a/go.mod +++ b/go.mod @@ -7,9 +7,9 @@ require ( cloud.google.com/go/storage v1.33.0 filippo.io/age v1.1.1 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0 - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1 - github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 + github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c github.com/aws/aws-sdk-go-v2 v1.21.1 github.com/aws/aws-sdk-go-v2/config v1.18.44 github.com/aws/aws-sdk-go-v2/credentials v1.13.42 @@ -21,7 +21,7 @@ require ( github.com/fatih/color v1.15.0 github.com/getsops/gopgagent v0.0.0-20170926210634-4d7ea76ff71a github.com/golang/protobuf v1.5.3 - github.com/google/go-cmp v0.5.9 + github.com/google/go-cmp v0.6.0 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 github.com/goware/prefixer v0.0.0-20160118172347-395022866408 github.com/hashicorp/go-cleanhttp v0.5.2 @@ -34,22 +34,22 @@ require ( github.com/sirupsen/logrus v1.9.3 github.com/stretchr/testify v1.8.4 github.com/urfave/cli v1.22.14 - golang.org/x/net v0.16.0 + golang.org/x/net v0.17.0 golang.org/x/sys v0.13.0 golang.org/x/term v0.13.0 - google.golang.org/api v0.145.0 - google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13 - google.golang.org/grpc v1.58.2 + google.golang.org/api v0.146.0 + google.golang.org/genproto/googleapis/rpc v0.0.0-20231009173412-8bfb1ae86b6c + google.golang.org/grpc v1.58.3 google.golang.org/protobuf v1.31.0 gopkg.in/ini.v1 v1.67.0 gopkg.in/yaml.v3 v3.0.1 ) require ( - cloud.google.com/go v0.110.7 // indirect + cloud.google.com/go v0.110.8 // indirect cloud.google.com/go/compute v1.23.0 // indirect cloud.google.com/go/compute/metadata v0.2.3 // indirect - cloud.google.com/go/iam v1.1.1 // indirect + cloud.google.com/go/iam v1.1.2 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 // indirect github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect @@ -124,8 +124,8 @@ require ( golang.org/x/tools v0.7.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20230913181813-007df8e322eb // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20230913181813-007df8e322eb // indirect + google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20230920204549-e6e6cdab5c13 // indirect gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect ) diff --git a/go.sum b/go.sum index d56735596..29bea6d41 100644 --- a/go.sum +++ b/go.sum @@ -1,12 +1,12 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.110.7 h1:rJyC7nWRg2jWGZ4wSJ5nY65GTdYJkg0cd/uXb+ACI6o= -cloud.google.com/go v0.110.7/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI= +cloud.google.com/go v0.110.8 h1:tyNdfIxjzaWctIiLYOTalaLKZ17SI44SKFW26QbOhME= +cloud.google.com/go v0.110.8/go.mod h1:Iz8AkXJf1qmxC3Oxoep8R1T36w8B92yU29PcBhHO5fk= cloud.google.com/go/compute v1.23.0 h1:tP41Zoavr8ptEqaW6j+LQOnyBBhO7OkOMAGrgLopTwY= cloud.google.com/go/compute v1.23.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= -cloud.google.com/go/iam v1.1.1 h1:lW7fzj15aVIXYHREOqjRBV9PsH0Z6u8Y46a1YGvQP4Y= -cloud.google.com/go/iam v1.1.1/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU= +cloud.google.com/go/iam v1.1.2 h1:gacbrBdWcoVmGLozRuStX45YKvJtzIjJdAolzUs1sm4= +cloud.google.com/go/iam v1.1.2/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU= cloud.google.com/go/kms v1.15.2 h1:lh6qra6oC4AyWe5fUUUBe/S27k12OHAleOOOw6KakdE= cloud.google.com/go/kms v1.15.2/go.mod h1:3hopT4+7ooWRCjc2DxgnpESFxhIraaI2IpAVUEhbT/w= cloud.google.com/go/storage v1.33.0 h1:PVrDOkIC8qQVa1P3SXGpQvfuJhN2LHOoyZvWs8D2X5M= @@ -15,8 +15,8 @@ filippo.io/age v1.1.1 h1:pIpO7l151hCnQ4BdyBujnGP2YlUo0uj6sAVNHGBvXHg= filippo.io/age v1.1.1/go.mod h1:l03SrzDUrBkdBx8+IILdnn2KZysqQdbEBUQ4p3sqEQE= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0 h1:9kDVnTz3vbfweTqAUmk/a/pH5pWFCHtvRpHYC0G/dcA= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0/go.mod h1:3Ug6Qzto9anB6mGlEdgYMDF5zHQ+wwhEaYR4s17PHMw= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 h1:LNHhpdK7hzUcx/k1LIcuh5k7k1LGIWLQfCjaneSj7Fc= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1/go.mod h1:uE9zaUfEQT/nbQjVi2IblCG9iaLtZsuYZ8ne+PuQ02M= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0 h1:BMAjVKJM0U/CYF27gA0ZMmXGkOcvfFtD0oHVZ1TIPRI= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0/go.mod h1:1fXstnBMas5kzG+S3q8UoJcmyU6nUeunJcMDHcRYHhs= github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY= github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1 h1:MyVTgWR8qd/Jw1Le0NZebGBUCLbtak3bJ3z1OlqZBpw= @@ -33,8 +33,8 @@ github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2y github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE= github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw= github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk= -github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg= -github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= +github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c h1:kMFnB0vCcX7IL/m9Y5LO+KQYv+t1CQOiFe6+SV2J7bE= +github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/aws/aws-sdk-go-v2 v1.21.1 h1:wjHYshtPpYOZm+/mu3NhVgRRc0baM6LJZOmxPZ5Cwzs= github.com/aws/aws-sdk-go-v2 v1.21.1/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM= @@ -162,8 +162,8 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= -github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw= github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o= github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= @@ -343,8 +343,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= -golang.org/x/net v0.16.0 h1:7eBu7KsSvFDtSXUIDbh3aqlK4DPsZ1rByC8PFfBThos= -golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.12.0 h1:smVPGxink+n1ZI5pkQa8y6fZT0RW0MgCO5bFpepy4B4= golang.org/x/oauth2 v0.12.0/go.mod h1:A74bZ3aGXgCY0qaIC9Ahg6Lglin4AMAco8cIv9baba4= @@ -425,8 +425,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -google.golang.org/api v0.145.0 h1:kBjvf1A3/m30kUvnUX9jZJxTu3lJrpGFt5V/1YZrjwg= -google.golang.org/api v0.145.0/go.mod h1:OARJqIfoYjXJj4C1AiBSXYZt03qsoz8FQYU6fBEfrHM= +google.golang.org/api v0.146.0 h1:9aBYT4vQXt9dhCuLNfwfd3zpwu8atg0yPkjBymwSrOM= +google.golang.org/api v0.146.0/go.mod h1:OARJqIfoYjXJj4C1AiBSXYZt03qsoz8FQYU6fBEfrHM= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= @@ -434,19 +434,19 @@ google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCID google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20230913181813-007df8e322eb h1:XFBgcDwm7irdHTbz4Zk2h7Mh+eis4nfJEFQFYzJzuIA= -google.golang.org/genproto v0.0.0-20230913181813-007df8e322eb/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4= -google.golang.org/genproto/googleapis/api v0.0.0-20230913181813-007df8e322eb h1:lK0oleSc7IQsUxO3U5TjL9DWlsxpEBemh+zpB7IqhWI= -google.golang.org/genproto/googleapis/api v0.0.0-20230913181813-007df8e322eb/go.mod h1:KjSP20unUpOx5kyQUFa7k4OJg0qeJ7DEZflGDu2p6Bk= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13 h1:N3bU/SQDCDyD6R528GJ/PwW9KjYcJA3dgyH+MovAkIM= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13/go.mod h1:KSqppvjFjtoCI+KGd4PELB0qLNxdJHRGqRI09mB6pQA= +google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97 h1:SeZZZx0cP0fqUyA+oRzP9k7cSwJlvDFiROO72uwD6i0= +google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97/go.mod h1:t1VqOqqvce95G3hIDCT5FeO3YUc6Q4Oe24L/+rNMxRk= +google.golang.org/genproto/googleapis/api v0.0.0-20230920204549-e6e6cdab5c13 h1:U7+wNaVuSTaUqNvK2+osJ9ejEZxbjHHk8F2b6Hpx0AE= +google.golang.org/genproto/googleapis/api v0.0.0-20230920204549-e6e6cdab5c13/go.mod h1:RdyHbowztCGQySiCvQPgWQWgWhGnouTdCflKoDBt32U= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231009173412-8bfb1ae86b6c h1:jHkCUWkseRf+W+edG5hMzr/Uh1xkDREY4caybAq4dpY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231009173412-8bfb1ae86b6c/go.mod h1:4cYg8o5yUbm77w8ZX00LhMVNl/YVBFJRYWDc0uYWMs0= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.58.2 h1:SXUpjxeVF3FKrTYQI4f4KvbGD5u2xccdYdurwowix5I= -google.golang.org/grpc v1.58.2/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0= +google.golang.org/grpc v1.58.3 h1:BjnpXut1btbtgN/6sp+brB2Kbm2LjNXnidYujAVbSoQ= +google.golang.org/grpc v1.58.3/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= From 4135d8bfe270e401f21892bcb31689197d6ca32b Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 10 Oct 2023 23:54:28 +0200 Subject: [PATCH 118/135] Release v3.8.1 Signed-off-by: Hidde Beydals --- CHANGELOG.rst | 29 +++++++++++++++++++++++++++++ version/version.go | 2 +- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index f119dcbb2..bf14cc22f 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,35 @@ Changelog ========= +3.8.1 +----- +Improvements: + +* Improve handling of errors when binary store handles bad data (#1289) +* On macOS, prefer ``XDG_CONFIG_HOME`` over os.UserConfigDir() (#1291) +* Dependency updates (#1306, #1319, #1325) +* pgp: better error reporting for missing GPG binary during import of keys (#1286) +* Fix descriptions of unencrypted-regex and encrypted-regex flags, and ensure unencrypted_regex is considered in config validation (#1300) +* stores/json: improve error messages when parsing invalid JSON (#1307) + +Bug fixes: + +* pgp: improve handling of GnuPG home dir (#1298) +* Do not crash if an empty YAML file is encrypted (#1290) +* Handling of various ignored errors (#1304, #1311) +* pgp: do not require abs path for ``SOPS_GPG_EXEC`` (#1309) +* Report key rotation errors (#1317) +* Ensure wrapping of errors in main package (#1318) + +Project changes: + +* Enrich AWS authentication documentation (#1272) +* Add linting for RST and MD files (#1287) +* Delete SOPS encrypted file we don't have keys for (#1288) +* CI dependency updates (#1295, #1301) +* pgp: make error the last return value (#1310) +* Improve documentation files (#1320) + 3.8.0 ----- Features: diff --git a/version/version.go b/version/version.go index 161bdcdea..744b46f71 100644 --- a/version/version.go +++ b/version/version.go @@ -12,7 +12,7 @@ import ( ) // Version represents the value of the current semantic version. -var Version = "3.8.0" +var Version = "3.8.1" // PrintVersion prints the current version of sops. If the flag // `--disable-version-check` is set, the function will not attempt From d9a12ce6fe2967746c0f454de46b122a6c8674df Mon Sep 17 00:00:00 2001 From: Benjamin Ludewig Date: Thu, 1 Sep 2022 23:14:53 +0200 Subject: [PATCH 119/135] config: respect `aws_profile` from group config Signed-off-by: Benjamin Ludewig --- config/config.go | 2 +- config/config_test.go | 6 ++++-- kms/keysource.go | 8 ++++++++ 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/config/config.go b/config/config.go index c2475a2b9..6f34e0066 100644 --- a/config/config.go +++ b/config/config.go @@ -164,7 +164,7 @@ func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[ keyGroup = append(keyGroup, pgp.NewMasterKeyFromFingerprint(k)) } for _, k := range group.KMS { - keyGroup = append(keyGroup, kms.NewMasterKey(k.Arn, k.Role, k.Context)) + keyGroup = append(keyGroup, kms.NewMasterKeyWithProfile(k.Arn, k.Role, k.Context, k.AwsProfile)) } for _, k := range group.GCPKMS { keyGroup = append(keyGroup, gcpkms.NewMasterKeyFromResourceID(k.ResourceID)) diff --git a/config/config_test.go b/config/config_test.go index 4c43686c0..1c9814a41 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -93,6 +93,7 @@ creation_rules: key_groups: - kms: - arn: foo + aws_profile: bar pgp: - bar gcp_kms: @@ -105,6 +106,7 @@ creation_rules: - 'https://foo.vault:8200/v1/foo/keys/foo-key' - kms: - arn: baz + aws_profile: foo pgp: - qux gcp_kms: @@ -287,14 +289,14 @@ func TestLoadConfigFileWithGroups(t *testing.T) { PathRegex: "", KeyGroups: []keyGroup{ { - KMS: []kmsKey{{Arn: "foo"}}, + KMS: []kmsKey{{Arn: "foo", AwsProfile: "bar"}}, PGP: []string{"bar"}, GCPKMS: []gcpKmsKey{{ResourceID: "foo"}}, AzureKV: []azureKVKey{{VaultURL: "https://foo.vault.azure.net", Key: "foo-key", Version: "fooversion"}}, Vault: []string{"https://foo.vault:8200/v1/foo/keys/foo-key"}, }, { - KMS: []kmsKey{{Arn: "baz"}}, + KMS: []kmsKey{{Arn: "baz", AwsProfile: "foo"}}, PGP: []string{"qux"}, GCPKMS: []gcpKmsKey{ {ResourceID: "bar"}, diff --git a/kms/keysource.go b/kms/keysource.go index a28398090..1749b3455 100644 --- a/kms/keysource.go +++ b/kms/keysource.go @@ -88,6 +88,14 @@ func NewMasterKey(arn string, role string, context map[string]*string) *MasterKe } } +// NewMasterKeyWithProfile creates a new MasterKey from an ARN, role, context +// and awsProfile, setting the creation date to the current date. +func NewMasterKeyWithProfile(arn string, role string, context map[string]*string, awsProfile string) *MasterKey { + k := NewMasterKey(arn, role, context) + k.AwsProfile = awsProfile + return k +} + // NewMasterKeyFromArn takes an ARN string and returns a new MasterKey for that // ARN. func NewMasterKeyFromArn(arn string, context map[string]*string, awsProfile string) *MasterKey { From c9352b37e6966d9b4f836d76e450c7ac842c6cfa Mon Sep 17 00:00:00 2001 From: Benjamin Ludewig Date: Fri, 13 Oct 2023 15:13:56 +0200 Subject: [PATCH 120/135] docs: add aws_profile to creation_rules examples Signed-off-by: Benjamin Ludewig --- README.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.rst b/README.rst index c6a40453b..5ed120d1a 100644 --- a/README.rst +++ b/README.rst @@ -776,6 +776,7 @@ like so: context: foo: bar - arn: arn2 + aws_profile: myprofile # Second key group - pgp: - fingerprint3 @@ -818,6 +819,7 @@ with ``shamir_threshold``: context: foo: bar - arn: arn2 + aws_profile: myprofile # Second key group - pgp: - fingerprint3 From 3262d55738e2788950dc6a2f1c91cfb6bb22d7dc Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Fri, 13 Oct 2023 16:14:07 +0200 Subject: [PATCH 121/135] kms: add minimal test for `NewMasterKeyWithProfile` Signed-off-by: Hidde Beydals --- kms/keysource_test.go | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/kms/keysource_test.go b/kms/keysource_test.go index 4bed28621..855a1f880 100644 --- a/kms/keysource_test.go +++ b/kms/keysource_test.go @@ -122,6 +122,22 @@ func TestNewMasterKey(t *testing.T) { assert.NotNil(t, key.CreationDate) } +func TestNewMasterKeyWithProfile(t *testing.T) { + var ( + dummyRole = "a-role" + dummyEncryptionContext = map[string]*string{ + "foo": aws.String("bar"), + } + dummyProfile = "a-profile" + ) + key := NewMasterKeyWithProfile(dummyARN, dummyRole, dummyEncryptionContext, dummyProfile) + assert.Equal(t, dummyARN, key.Arn) + assert.Equal(t, dummyRole, key.Role) + assert.Equal(t, dummyEncryptionContext, key.EncryptionContext) + assert.Equal(t, dummyProfile, key.AwsProfile) + assert.NotNil(t, key.CreationDate) +} + func TestNewMasterKeyFromArn(t *testing.T) { t.Run("arn", func(t *testing.T) { var ( From 2dc648fb53ba40afe529b8374868687c663e5be8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Oct 2023 09:42:37 +0000 Subject: [PATCH 122/135] build(deps): Bump the go group with 6 updates Bumps the go group with 6 updates: | Package | From | To | | --- | --- | --- | | [cloud.google.com/go/kms](https://github.com/googleapis/google-cloud-go) | `1.15.2` | `1.15.3` | | [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2) | `1.21.1` | `1.21.2` | | [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) | `1.18.44` | `1.18.45` | | [github.com/aws/aws-sdk-go-v2/feature/s3/manager](https://github.com/aws/aws-sdk-go-v2) | `1.11.89` | `1.11.90` | | [github.com/aws/aws-sdk-go-v2/service/kms](https://github.com/aws/aws-sdk-go-v2) | `1.24.6` | `1.24.7` | | [google.golang.org/api](https://github.com/googleapis/google-api-go-client) | `0.146.0` | `0.147.0` | Updates `cloud.google.com/go/kms` from 1.15.2 to 1.15.3 - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/kms/v1.15.2...kms/v1.15.3) Updates `github.com/aws/aws-sdk-go-v2` from 1.21.1 to 1.21.2 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.21.1...v1.21.2) Updates `github.com/aws/aws-sdk-go-v2/config` from 1.18.44 to 1.18.45 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.18.44...config/v1.18.45) Updates `github.com/aws/aws-sdk-go-v2/feature/s3/manager` from 1.11.89 to 1.11.90 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/feature/s3/manager/v1.11.89...feature/s3/manager/v1.11.90) Updates `github.com/aws/aws-sdk-go-v2/service/kms` from 1.24.6 to 1.24.7 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/fsx/v1.24.6...service/fsx/v1.24.7) Updates `google.golang.org/api` from 0.146.0 to 0.147.0 - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.146.0...v0.147.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/kms dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/feature/s3/manager dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/service/kms dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go ... Signed-off-by: dependabot[bot] --- go.mod | 44 ++++++++++++++--------------- go.sum | 88 +++++++++++++++++++++++++++++----------------------------- 2 files changed, 66 insertions(+), 66 deletions(-) diff --git a/go.mod b/go.mod index 4f6ee5383..791c7f342 100644 --- a/go.mod +++ b/go.mod @@ -3,20 +3,20 @@ module github.com/getsops/sops/v3 go 1.19 require ( - cloud.google.com/go/kms v1.15.2 + cloud.google.com/go/kms v1.15.3 cloud.google.com/go/storage v1.33.0 filippo.io/age v1.1.1 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1 github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c - github.com/aws/aws-sdk-go-v2 v1.21.1 - github.com/aws/aws-sdk-go-v2/config v1.18.44 - github.com/aws/aws-sdk-go-v2/credentials v1.13.42 - github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.89 - github.com/aws/aws-sdk-go-v2/service/kms v1.24.6 - github.com/aws/aws-sdk-go-v2/service/s3 v1.40.1 - github.com/aws/aws-sdk-go-v2/service/sts v1.23.1 + github.com/aws/aws-sdk-go-v2 v1.21.2 + github.com/aws/aws-sdk-go-v2/config v1.18.45 + github.com/aws/aws-sdk-go-v2/credentials v1.13.43 + github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.90 + github.com/aws/aws-sdk-go-v2/service/kms v1.24.7 + github.com/aws/aws-sdk-go-v2/service/s3 v1.40.2 + github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 github.com/blang/semver v3.5.1+incompatible github.com/fatih/color v1.15.0 github.com/getsops/gopgagent v0.0.0-20170926210634-4d7ea76ff71a @@ -37,7 +37,7 @@ require ( golang.org/x/net v0.17.0 golang.org/x/sys v0.13.0 golang.org/x/term v0.13.0 - google.golang.org/api v0.146.0 + google.golang.org/api v0.147.0 google.golang.org/genproto/googleapis/rpc v0.0.0-20231009173412-8bfb1ae86b6c google.golang.org/grpc v1.58.3 google.golang.org/protobuf v1.31.0 @@ -57,17 +57,17 @@ require ( github.com/Microsoft/go-winio v0.6.0 // indirect github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.12 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.42 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.36 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.3.44 // indirect - github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.5 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 // indirect + github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.6 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.15 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.37 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.36 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.5 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.15.1 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.38 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.6 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 // indirect github.com/aws/smithy-go v1.15.0 // indirect github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/cenkalti/backoff/v4 v4.1.3 // indirect @@ -117,15 +117,15 @@ require ( go.opencensus.io v0.24.0 // indirect golang.org/x/crypto v0.14.0 // indirect golang.org/x/mod v0.9.0 // indirect - golang.org/x/oauth2 v0.12.0 // indirect - golang.org/x/sync v0.3.0 // indirect + golang.org/x/oauth2 v0.13.0 // indirect + golang.org/x/sync v0.4.0 // indirect golang.org/x/text v0.13.0 // indirect golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect golang.org/x/tools v0.7.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20230920204549-e6e6cdab5c13 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20231002182017-d307bd883b97 // indirect gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect ) diff --git a/go.sum b/go.sum index 29bea6d41..f6e598ca9 100644 --- a/go.sum +++ b/go.sum @@ -7,8 +7,8 @@ cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGB cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= cloud.google.com/go/iam v1.1.2 h1:gacbrBdWcoVmGLozRuStX45YKvJtzIjJdAolzUs1sm4= cloud.google.com/go/iam v1.1.2/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU= -cloud.google.com/go/kms v1.15.2 h1:lh6qra6oC4AyWe5fUUUBe/S27k12OHAleOOOw6KakdE= -cloud.google.com/go/kms v1.15.2/go.mod h1:3hopT4+7ooWRCjc2DxgnpESFxhIraaI2IpAVUEhbT/w= +cloud.google.com/go/kms v1.15.3 h1:RYsbxTRmk91ydKCzekI2YjryO4c5Y2M80Zwcs9/D/cI= +cloud.google.com/go/kms v1.15.3/go.mod h1:AJdXqHxS2GlPyduM99s9iGqi2nwbviBbhV/hdmt4iOQ= cloud.google.com/go/storage v1.33.0 h1:PVrDOkIC8qQVa1P3SXGpQvfuJhN2LHOoyZvWs8D2X5M= cloud.google.com/go/storage v1.33.0/go.mod h1:Hhh/dogNRGca7IWv1RC2YqEn0c0G77ctA/OxflYkiD8= filippo.io/age v1.1.1 h1:pIpO7l151hCnQ4BdyBujnGP2YlUo0uj6sAVNHGBvXHg= @@ -36,44 +36,44 @@ github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8 github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c h1:kMFnB0vCcX7IL/m9Y5LO+KQYv+t1CQOiFe6+SV2J7bE= github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= -github.com/aws/aws-sdk-go-v2 v1.21.1 h1:wjHYshtPpYOZm+/mu3NhVgRRc0baM6LJZOmxPZ5Cwzs= -github.com/aws/aws-sdk-go-v2 v1.21.1/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM= +github.com/aws/aws-sdk-go-v2 v1.21.2 h1:+LXZ0sgo8quN9UOKXXzAWRT3FWd4NxeXWOZom9pE7GA= +github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14 h1:Sc82v7tDQ/vdU1WtuSyzZ1I7y/68j//HJ6uozND1IDs= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14/go.mod h1:9NCTOURS8OpxvoAVHq79LK81/zC78hfRWFn+aL0SPcY= -github.com/aws/aws-sdk-go-v2/config v1.18.44 h1:U10NQ3OxiY0dGGozmVIENIDnCT0W432PWxk2VO8wGnY= -github.com/aws/aws-sdk-go-v2/config v1.18.44/go.mod h1:pHxnQBldd0heEdJmolLBk78D1Bf69YnKLY3LOpFImlU= -github.com/aws/aws-sdk-go-v2/credentials v1.13.42 h1:KMkjpZqcMOwtRHChVlHdNxTUUAC6NC/b58mRZDIdcRg= -github.com/aws/aws-sdk-go-v2/credentials v1.13.42/go.mod h1:7ltKclhvEB8305sBhrpls24HGxORl6qgnQqSJ314Uw8= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.12 h1:3j5lrl9kVQrJ1BU4O0z7MQ8sa+UXdiLuo4j0V+odNI8= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.12/go.mod h1:JbFpcHDBdsex1zpIKuVRorZSQiZEyc3MykNCcjgz174= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.89 h1:XPqSyw8SBSLMRrF9Oip6tQpivXWJLMn8sdRoAsUCQQA= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.89/go.mod h1:OkYwM7gYm9HieL6emYtkg7Pb7Jd8FFM5Pl5uAZ1h2jo= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.42 h1:817VqVe6wvwE46xXy6YF5RywvjOX6U2zRQQ6IbQFK0s= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.42/go.mod h1:oDfgXoBBmj+kXnqxDDnIDnC56QBosglKp8ftRCTxR+0= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.36 h1:7ZApaXzWbo8slc+W5TynuUlB4z66g44h7uqa3/d/BsY= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.36/go.mod h1:rwr4WnmFi3RJO0M4dxbJtgi9BPLMpVBMX1nUte5ha9U= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.44 h1:quOJOqlbSfeJTboXLjYXM1M9T52LBXqLoTPlmsKLpBo= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.44/go.mod h1:LNy+P1+1LiRcCsVYr/4zG5n8zWFL0xsvZkOybjbftm8= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.5 h1:8JG9ny0BqBDzmtIzbpaN+eke152ZNsYKApFJ/q29Hxo= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.5/go.mod h1:kEDHQApP/ukMO9natNftgUN3NaTsMxK6jb2jjpSMX7Y= +github.com/aws/aws-sdk-go-v2/config v1.18.45 h1:Aka9bI7n8ysuwPeFdm77nfbyHCAKQ3z9ghB3S/38zes= +github.com/aws/aws-sdk-go-v2/config v1.18.45/go.mod h1:ZwDUgFnQgsazQTnWfeLWk5GjeqTQTL8lMkoE1UXzxdE= +github.com/aws/aws-sdk-go-v2/credentials v1.13.43 h1:LU8vo40zBlo3R7bAvBVy/ku4nxGEyZe9N8MqAeFTzF8= +github.com/aws/aws-sdk-go-v2/credentials v1.13.43/go.mod h1:zWJBz1Yf1ZtX5NGax9ZdNjhhI4rgjfgsyk6vTY1yfVg= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 h1:PIktER+hwIG286DqXyvVENjgLTAwGgoeriLDD5C+YlQ= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13/go.mod h1:f/Ib/qYjhV2/qdsf79H3QP/eRE4AkVyEf6sk7XfZ1tg= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.90 h1:mtJRt80k1oGw7QQPluAx8AZ6u16MyCA2di/lMhagZ7I= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.90/go.mod h1:lYwZTkeMQWPvNU+u7oYArdNhQ8EKiSGU76jVv0w2GH4= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 h1:nFBQlGtkbPzp/NjZLuFxRqmT91rLJkgvsEQs68h962Y= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43/go.mod h1:auo+PiyLl0n1l8A0e8RIeR8tOzYPfZZH/JNlrJ8igTQ= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 h1:JRVhO25+r3ar2mKGP7E0LDl8K9/G36gjlqca5iQbaqc= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37/go.mod h1:Qe+2KtKml+FEsQF/DHmDV+xjtche/hwoF75EG4UlHW8= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 h1:hze8YsjSh8Wl1rYa1CJpRmXP21BvOBuc76YhW0HsuQ4= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45/go.mod h1:lD5M20o09/LCuQ2mE62Mb/iSdSlCNuj6H5ci7tW7OsE= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.6 h1:wmGLw2i8ZTlHLw7a9ULGfQbuccw8uIiNr6sol5bFzc8= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.6/go.mod h1:Q0Hq2X/NuL7z8b1Dww8rmOFl+jzusKEcyvkKspwdpyc= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.15 h1:7R8uRYyXzdD71KWVCL78lJZltah6VVznXBazvKjfH58= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.15/go.mod h1:26SQUPcTNgV1Tapwdt4a1rOsYRsnBsJHLMPoxK2b0d8= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.37 h1:Mx1zJlYbiUQANWT40koevLvxawGFolmkaP4m+LuyG7M= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.37/go.mod h1:PjKIAMFthKPgG/B8bbRpo3F8jfr2q2L+w3u78jJ12a0= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.36 h1:YXlm7LxwNlauqb2OrinWlcvtsflTzP8GaMvYfQBhoT4= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.36/go.mod h1:ou9ffqJ9hKOVZmjlC6kQ6oROAyG1M4yBKzR+9BKbDwk= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.5 h1:sAAz28SeA7YZl8Yaphjs9tlLsflhdniQPjf3X2cqr4s= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.5/go.mod h1:HC7gNz3VH0p+RvLKK+HqNQv/gHy+1Os3ko/F41s3+aw= -github.com/aws/aws-sdk-go-v2/service/kms v1.24.6 h1:rp9DrFG3na9nuqsBZWb5KwvZrODhjayqFVJe8jmeVY8= -github.com/aws/aws-sdk-go-v2/service/kms v1.24.6/go.mod h1:I/absi3KLfE37J5QWMKyoYT8ZHA9t8JOC+Rb7Cyy+vc= -github.com/aws/aws-sdk-go-v2/service/s3 v1.40.1 h1:FqIaVPbs2W8U3fszl2PCL1IDKeRdM7TssjWamL6b2mg= -github.com/aws/aws-sdk-go-v2/service/s3 v1.40.1/go.mod h1:X0e0NCAx4GjOrKro7s9QYy+YEIFhgCkt6gYKVKhZB5Y= -github.com/aws/aws-sdk-go-v2/service/sso v1.15.1 h1:ZN3bxw9OYC5D6umLw6f57rNJfGfhg1DIAAcKpzyUTOE= -github.com/aws/aws-sdk-go-v2/service/sso v1.15.1/go.mod h1:PieckvBoT5HtyB9AsJRrYZFY2Z+EyfVM/9zG6gbV8DQ= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.2 h1:fSCCJuT5i6ht8TqGdZc5Q5K9pz/atrf7qH4iK5C9XzU= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.2/go.mod h1:5eNtr+vNc5vVd92q7SJ+U/HszsIdhZBEyi9dkMRKsp8= -github.com/aws/aws-sdk-go-v2/service/sts v1.23.1 h1:ASNYk1ypWAxRhJjKS0jBnTUeDl7HROOpeSMu1xDA/I8= -github.com/aws/aws-sdk-go-v2/service/sts v1.23.1/go.mod h1:2cnsAhVT3mqusovc2stUSUrSBGTcX9nh8Tu6xh//2eI= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.38 h1:skaFGzv+3kA+v2BPKhuekeb1Hbb105+44r8ASC+q5SE= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.38/go.mod h1:epIZoRSSbRIwLPJU5F+OldHhwZPBdpDeQkRdCeY3+00= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 h1:WWZA/I2K4ptBS1kg0kV1JbBtG/umed0vwHRrmcr9z7k= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37/go.mod h1:vBmDnwWXWxNPFRMmG2m/3MKOe+xEcMDo1tanpaWCcck= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.6 h1:9ulSU5ClouoPIYhDQdg9tpl83d5Yb91PXTKK+17q+ow= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.6/go.mod h1:lnc2taBsR9nTlz9meD+lhFZZ9EWY712QHrRflWpTcOA= +github.com/aws/aws-sdk-go-v2/service/kms v1.24.7 h1:uRGw0UKo5hc7M2T7uGsK/Yg2qwecq/dnVjQbbq9RCzY= +github.com/aws/aws-sdk-go-v2/service/kms v1.24.7/go.mod h1:z3O9CXfVrKAV3c9fMWOUUv2C6N2ggXCDHeXpOB6lAEk= +github.com/aws/aws-sdk-go-v2/service/s3 v1.40.2 h1:Ll5/YVCOzRB+gxPqs2uD0R7/MyATC0w85626glSKmp4= +github.com/aws/aws-sdk-go-v2/service/s3 v1.40.2/go.mod h1:Zjfqt7KhQK+PO1bbOsFNzKgaq7TcxzmEoDWN8lM0qzQ= +github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 h1:JuPGc7IkOP4AaqcZSIcyqLpFSqBWK32rM9+a1g6u73k= +github.com/aws/aws-sdk-go-v2/service/sso v1.15.2/go.mod h1:gsL4keucRCgW+xA85ALBpRFfdSLH4kHOVSnLMSuBECo= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 h1:HFiiRkf1SdaAmV3/BHOFZ9DjFynPHj8G/UIO1lQS+fk= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3/go.mod h1:a7bHA82fyUXOm+ZSWKU6PIoBxrjSprdLoM8xPYvzYVg= +github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 h1:0BkLfgeDjfZnZ+MhB3ONb01u9pwFYTCZVhlsSSBvlbU= +github.com/aws/aws-sdk-go-v2/service/sts v1.23.2/go.mod h1:Eows6e1uQEsc4ZaHANmsPRzAKcVDrcmjjWiih2+HUUQ= github.com/aws/smithy-go v1.15.0 h1:PS/durmlzvAFpQHDs4wi4sNNP9ExsqZh6IlfdHXgKK8= github.com/aws/smithy-go v1.15.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= @@ -346,8 +346,8 @@ golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.12.0 h1:smVPGxink+n1ZI5pkQa8y6fZT0RW0MgCO5bFpepy4B4= -golang.org/x/oauth2 v0.12.0/go.mod h1:A74bZ3aGXgCY0qaIC9Ahg6Lglin4AMAco8cIv9baba4= +golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY= +golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -355,8 +355,8 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E= -golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ= +golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -425,8 +425,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -google.golang.org/api v0.146.0 h1:9aBYT4vQXt9dhCuLNfwfd3zpwu8atg0yPkjBymwSrOM= -google.golang.org/api v0.146.0/go.mod h1:OARJqIfoYjXJj4C1AiBSXYZt03qsoz8FQYU6fBEfrHM= +google.golang.org/api v0.147.0 h1:Can3FaQo9LlVqxJCodNmeZW/ib3/qKAY3rFeXiHo5gc= +google.golang.org/api v0.147.0/go.mod h1:pQ/9j83DcmPd/5C9e2nFOdjjNkDZ1G+zkbK2uvdkJMs= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= @@ -436,8 +436,8 @@ google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97 h1:SeZZZx0cP0fqUyA+oRzP9k7cSwJlvDFiROO72uwD6i0= google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97/go.mod h1:t1VqOqqvce95G3hIDCT5FeO3YUc6Q4Oe24L/+rNMxRk= -google.golang.org/genproto/googleapis/api v0.0.0-20230920204549-e6e6cdab5c13 h1:U7+wNaVuSTaUqNvK2+osJ9ejEZxbjHHk8F2b6Hpx0AE= -google.golang.org/genproto/googleapis/api v0.0.0-20230920204549-e6e6cdab5c13/go.mod h1:RdyHbowztCGQySiCvQPgWQWgWhGnouTdCflKoDBt32U= +google.golang.org/genproto/googleapis/api v0.0.0-20231002182017-d307bd883b97 h1:W18sezcAYs+3tDZX4F80yctqa12jcP1PUS2gQu1zTPU= +google.golang.org/genproto/googleapis/api v0.0.0-20231002182017-d307bd883b97/go.mod h1:iargEX0SFPm3xcfMI0d1domjg0ZF4Aa0p2awqyxhvF0= google.golang.org/genproto/googleapis/rpc v0.0.0-20231009173412-8bfb1ae86b6c h1:jHkCUWkseRf+W+edG5hMzr/Uh1xkDREY4caybAq4dpY= google.golang.org/genproto/googleapis/rpc v0.0.0-20231009173412-8bfb1ae86b6c/go.mod h1:4cYg8o5yUbm77w8ZX00LhMVNl/YVBFJRYWDc0uYWMs0= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= From faec355317347493e93b48bba59238b88c42fd9d Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 17 Oct 2023 16:17:03 +0200 Subject: [PATCH 123/135] kms: improve AWS profile test Due to the AWS SDK addressing a bug, which causes it to be more strict when loading a configured profile. Signed-off-by: Hidde Beydals --- kms/keysource_test.go | 42 ++++++++++++++++++++++++++++++++++-------- 1 file changed, 34 insertions(+), 8 deletions(-) diff --git a/kms/keysource_test.go b/kms/keysource_test.go index 855a1f880..c9898d395 100644 --- a/kms/keysource_test.go +++ b/kms/keysource_test.go @@ -6,6 +6,7 @@ import ( "fmt" logger "log" "os" + "path/filepath" "testing" "time" @@ -399,14 +400,14 @@ func TestMasterKey_createKMSConfig(t *testing.T) { tests := []struct { name string key MasterKey + envFunc func(t *testing.T) assertFunc func(t *testing.T, cfg *aws.Config, err error) fallback bool }{ { - name: "valid config", + name: "valid config with credentials provider", key: MasterKey{ credentialsProvider: credentials.NewStaticCredentialsProvider("test-id", "test-secret", "test-token"), - AwsProfile: "test-profile", Arn: "arn:aws:kms:us-west-2:107501996527:key/612d5f0p-p1l3-45e6-aca6-a5b005693a48", }, assertFunc: func(t *testing.T, cfg *aws.Config, err error) { @@ -418,6 +419,30 @@ func TestMasterKey_createKMSConfig(t *testing.T) { assert.Equal(t, "test-id", creds.AccessKeyID) assert.Equal(t, "test-secret", creds.SecretAccessKey) assert.Equal(t, "test-token", creds.SessionToken) + }, + }, + { + name: "valid config with profile", + key: MasterKey{ + AwsProfile: "test-profile", + Arn: "arn:aws:kms:us-west-2:107501996527:key/612d5f0p-p1l3-45e6-aca6-a5b005693a48", + }, + envFunc: func(t *testing.T) { + credentialsFile := filepath.Join(t.TempDir(), ".aws", "credentials") + assert.NoError(t, os.MkdirAll(filepath.Dir(credentialsFile), 0o700)) + assert.NoError(t, os.WriteFile(credentialsFile, []byte(`[test-profile] +aws_access_key_id = test-id +aws_secret_access_key = test-secret`), 0600)) + + t.Setenv("AWS_SHARED_CREDENTIALS_FILE", credentialsFile) + }, + assertFunc: func(t *testing.T, cfg *aws.Config, err error) { + assert.NoError(t, err) + + creds, err := cfg.Credentials.Retrieve(context.TODO()) + assert.NoError(t, err) + assert.Equal(t, "test-id", creds.AccessKeyID) + assert.Equal(t, "test-secret", creds.SecretAccessKey) // ConfigSources is a slice of config.Config, which in turn is an interface. // Since we use a LoadOptions object, we assert the type of cfgSrc and then @@ -457,7 +482,11 @@ func TestMasterKey_createKMSConfig(t *testing.T) { key: MasterKey{ Arn: "arn:aws:kms:us-west-2:107501996527:key/612d5f0p-p1l3-45e6-aca6-a5b005693a48", }, - fallback: true, + envFunc: func(t *testing.T) { + t.Setenv("AWS_ACCESS_KEY_ID", "id") + t.Setenv("AWS_SECRET_ACCESS_KEY", "secret") + t.Setenv("AWS_SESSION_TOKEN", "token") + }, assertFunc: func(t *testing.T, cfg *aws.Config, err error) { assert.NoError(t, err) @@ -473,11 +502,8 @@ func TestMasterKey_createKMSConfig(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { tt := tt - // Set the environment variables if we want to fallback - if tt.fallback { - t.Setenv("AWS_ACCESS_KEY_ID", "id") - t.Setenv("AWS_SECRET_ACCESS_KEY", "secret") - t.Setenv("AWS_SESSION_TOKEN", "token") + if tt.envFunc != nil { + tt.envFunc(t) } cfg, err := tt.key.createKMSConfig() tt.assertFunc(t, cfg, err) From 385d6f545647294c35bb5cca3146c00be4eb09e7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Oct 2023 10:02:44 +0000 Subject: [PATCH 124/135] build(deps): Bump the go group with 3 updates Bumps the go group with 3 updates: [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2), [google.golang.org/api](https://github.com/googleapis/google-api-go-client) and [google.golang.org/grpc](https://github.com/grpc/grpc-go). Updates `github.com/aws/aws-sdk-go-v2/config` from 1.18.45 to 1.19.0 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/v1.19.0/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.18.45...v1.19.0) Updates `google.golang.org/api` from 0.147.0 to 0.148.0 - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.147.0...v0.148.0) Updates `google.golang.org/grpc` from 1.58.3 to 1.59.0 - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.58.3...v1.59.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go ... Signed-off-by: dependabot[bot] --- go.mod | 8 ++++---- go.sum | 15 ++++++++------- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/go.mod b/go.mod index 791c7f342..ed800b7fa 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1 github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c github.com/aws/aws-sdk-go-v2 v1.21.2 - github.com/aws/aws-sdk-go-v2/config v1.18.45 + github.com/aws/aws-sdk-go-v2/config v1.19.0 github.com/aws/aws-sdk-go-v2/credentials v1.13.43 github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.90 github.com/aws/aws-sdk-go-v2/service/kms v1.24.7 @@ -37,9 +37,9 @@ require ( golang.org/x/net v0.17.0 golang.org/x/sys v0.13.0 golang.org/x/term v0.13.0 - google.golang.org/api v0.147.0 - google.golang.org/genproto/googleapis/rpc v0.0.0-20231009173412-8bfb1ae86b6c - google.golang.org/grpc v1.58.3 + google.golang.org/api v0.148.0 + google.golang.org/genproto/googleapis/rpc v0.0.0-20231012201019-e917dd12ba7a + google.golang.org/grpc v1.59.0 google.golang.org/protobuf v1.31.0 gopkg.in/ini.v1 v1.67.0 gopkg.in/yaml.v3 v3.0.1 diff --git a/go.sum b/go.sum index f6e598ca9..04b5ee925 100644 --- a/go.sum +++ b/go.sum @@ -40,8 +40,9 @@ github.com/aws/aws-sdk-go-v2 v1.21.2 h1:+LXZ0sgo8quN9UOKXXzAWRT3FWd4NxeXWOZom9pE github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14 h1:Sc82v7tDQ/vdU1WtuSyzZ1I7y/68j//HJ6uozND1IDs= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14/go.mod h1:9NCTOURS8OpxvoAVHq79LK81/zC78hfRWFn+aL0SPcY= -github.com/aws/aws-sdk-go-v2/config v1.18.45 h1:Aka9bI7n8ysuwPeFdm77nfbyHCAKQ3z9ghB3S/38zes= github.com/aws/aws-sdk-go-v2/config v1.18.45/go.mod h1:ZwDUgFnQgsazQTnWfeLWk5GjeqTQTL8lMkoE1UXzxdE= +github.com/aws/aws-sdk-go-v2/config v1.19.0 h1:AdzDvwH6dWuVARCl3RTLGRc4Ogy+N7yLFxVxXe1ClQ0= +github.com/aws/aws-sdk-go-v2/config v1.19.0/go.mod h1:ZwDUgFnQgsazQTnWfeLWk5GjeqTQTL8lMkoE1UXzxdE= github.com/aws/aws-sdk-go-v2/credentials v1.13.43 h1:LU8vo40zBlo3R7bAvBVy/ku4nxGEyZe9N8MqAeFTzF8= github.com/aws/aws-sdk-go-v2/credentials v1.13.43/go.mod h1:zWJBz1Yf1ZtX5NGax9ZdNjhhI4rgjfgsyk6vTY1yfVg= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 h1:PIktER+hwIG286DqXyvVENjgLTAwGgoeriLDD5C+YlQ= @@ -425,8 +426,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -google.golang.org/api v0.147.0 h1:Can3FaQo9LlVqxJCodNmeZW/ib3/qKAY3rFeXiHo5gc= -google.golang.org/api v0.147.0/go.mod h1:pQ/9j83DcmPd/5C9e2nFOdjjNkDZ1G+zkbK2uvdkJMs= +google.golang.org/api v0.148.0 h1:HBq4TZlN4/1pNcu0geJZ/Q50vIwIXT532UIMYoo0vOs= +google.golang.org/api v0.148.0/go.mod h1:8/TBgwaKjfqTdacOJrOv2+2Q6fBDU1uHKK06oGSkxzU= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= @@ -438,15 +439,15 @@ google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97 h1:SeZZZx0cP0fqUyA google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97/go.mod h1:t1VqOqqvce95G3hIDCT5FeO3YUc6Q4Oe24L/+rNMxRk= google.golang.org/genproto/googleapis/api v0.0.0-20231002182017-d307bd883b97 h1:W18sezcAYs+3tDZX4F80yctqa12jcP1PUS2gQu1zTPU= google.golang.org/genproto/googleapis/api v0.0.0-20231002182017-d307bd883b97/go.mod h1:iargEX0SFPm3xcfMI0d1domjg0ZF4Aa0p2awqyxhvF0= -google.golang.org/genproto/googleapis/rpc v0.0.0-20231009173412-8bfb1ae86b6c h1:jHkCUWkseRf+W+edG5hMzr/Uh1xkDREY4caybAq4dpY= -google.golang.org/genproto/googleapis/rpc v0.0.0-20231009173412-8bfb1ae86b6c/go.mod h1:4cYg8o5yUbm77w8ZX00LhMVNl/YVBFJRYWDc0uYWMs0= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231012201019-e917dd12ba7a h1:a2MQQVoTo96JC9PMGtGBymLp7+/RzpFc2yX/9WfFg1c= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231012201019-e917dd12ba7a/go.mod h1:4cYg8o5yUbm77w8ZX00LhMVNl/YVBFJRYWDc0uYWMs0= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.58.3 h1:BjnpXut1btbtgN/6sp+brB2Kbm2LjNXnidYujAVbSoQ= -google.golang.org/grpc v1.58.3/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0= +google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk= +google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= From dc2a7520eb44412d20712ba3e2eceb96b4f8b286 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Oct 2023 22:41:00 +0000 Subject: [PATCH 125/135] build(deps): Bump the go group with 1 update Bumps the go group with 1 update: [github.com/aws/aws-sdk-go-v2/feature/s3/manager](https://github.com/aws/aws-sdk-go-v2). - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/feature/s3/manager/v1.11.90...feature/s3/manager/v1.11.91) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/feature/s3/manager dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index ed800b7fa..3f1ceb4ef 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/aws/aws-sdk-go-v2 v1.21.2 github.com/aws/aws-sdk-go-v2/config v1.19.0 github.com/aws/aws-sdk-go-v2/credentials v1.13.43 - github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.90 + github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.91 github.com/aws/aws-sdk-go-v2/service/kms v1.24.7 github.com/aws/aws-sdk-go-v2/service/s3 v1.40.2 github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 diff --git a/go.sum b/go.sum index 04b5ee925..5a3646497 100644 --- a/go.sum +++ b/go.sum @@ -40,15 +40,14 @@ github.com/aws/aws-sdk-go-v2 v1.21.2 h1:+LXZ0sgo8quN9UOKXXzAWRT3FWd4NxeXWOZom9pE github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14 h1:Sc82v7tDQ/vdU1WtuSyzZ1I7y/68j//HJ6uozND1IDs= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14/go.mod h1:9NCTOURS8OpxvoAVHq79LK81/zC78hfRWFn+aL0SPcY= -github.com/aws/aws-sdk-go-v2/config v1.18.45/go.mod h1:ZwDUgFnQgsazQTnWfeLWk5GjeqTQTL8lMkoE1UXzxdE= github.com/aws/aws-sdk-go-v2/config v1.19.0 h1:AdzDvwH6dWuVARCl3RTLGRc4Ogy+N7yLFxVxXe1ClQ0= github.com/aws/aws-sdk-go-v2/config v1.19.0/go.mod h1:ZwDUgFnQgsazQTnWfeLWk5GjeqTQTL8lMkoE1UXzxdE= github.com/aws/aws-sdk-go-v2/credentials v1.13.43 h1:LU8vo40zBlo3R7bAvBVy/ku4nxGEyZe9N8MqAeFTzF8= github.com/aws/aws-sdk-go-v2/credentials v1.13.43/go.mod h1:zWJBz1Yf1ZtX5NGax9ZdNjhhI4rgjfgsyk6vTY1yfVg= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 h1:PIktER+hwIG286DqXyvVENjgLTAwGgoeriLDD5C+YlQ= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13/go.mod h1:f/Ib/qYjhV2/qdsf79H3QP/eRE4AkVyEf6sk7XfZ1tg= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.90 h1:mtJRt80k1oGw7QQPluAx8AZ6u16MyCA2di/lMhagZ7I= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.90/go.mod h1:lYwZTkeMQWPvNU+u7oYArdNhQ8EKiSGU76jVv0w2GH4= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.91 h1:haAyxKHwoE+y/TJt+qHcPQf1dCViyyGbWcKjjYUllTE= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.91/go.mod h1:ACQ6ta5YFlfSOz2c9A+EVYawLxFMZ0rI3Q0A0tGieKo= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 h1:nFBQlGtkbPzp/NjZLuFxRqmT91rLJkgvsEQs68h962Y= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43/go.mod h1:auo+PiyLl0n1l8A0e8RIeR8tOzYPfZZH/JNlrJ8igTQ= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 h1:JRVhO25+r3ar2mKGP7E0LDl8K9/G36gjlqca5iQbaqc= From 0a2a58bd26a79eced41d103824bf73502eed9978 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Oct 2023 15:39:50 +0000 Subject: [PATCH 126/135] build(deps): Bump github.com/docker/docker Bumps [github.com/docker/docker](https://github.com/docker/docker) from 20.10.24+incompatible to 24.0.7+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v20.10.24...v24.0.7) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: indirect ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 3f1ceb4ef..210972620 100644 --- a/go.mod +++ b/go.mod @@ -76,7 +76,7 @@ require ( github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/docker/cli v20.10.17+incompatible // indirect - github.com/docker/docker v20.10.24+incompatible // indirect + github.com/docker/docker v24.0.7+incompatible // indirect github.com/docker/go-connections v0.4.0 // indirect github.com/docker/go-units v0.4.0 // indirect github.com/go-jose/go-jose/v3 v3.0.0 // indirect diff --git a/go.sum b/go.sum index 5a3646497..47eeb0bc4 100644 --- a/go.sum +++ b/go.sum @@ -108,8 +108,8 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= github.com/docker/cli v20.10.17+incompatible h1:eO2KS7ZFeov5UJeaDmIs1NFEDRf32PaqRpvoEkKBy5M= github.com/docker/cli v20.10.17+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= -github.com/docker/docker v20.10.24+incompatible h1:Ugvxm7a8+Gz6vqQYQQ2W7GYq5EUPaAiuPgIfVyI3dYE= -github.com/docker/docker v20.10.24+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v24.0.7+incompatible h1:Wo6l37AuwP3JaMnZa226lzVXGA3F9Ig1seQen0cKYlM= +github.com/docker/docker v24.0.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw= From 13e567e0acfaf0af8396afd8aafcd9f5b1821ddc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Oct 2023 16:41:44 +0000 Subject: [PATCH 127/135] build(deps): Bump the go group with 3 updates Bumps the go group with 3 updates: [cloud.google.com/go/kms](https://github.com/googleapis/google-cloud-go), [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) and [github.com/aws/aws-sdk-go-v2/feature/s3/manager](https://github.com/aws/aws-sdk-go-v2). Updates `cloud.google.com/go/kms` from 1.15.3 to 1.15.4 - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/kms/v1.15.3...kms/v1.15.4) Updates `github.com/aws/aws-sdk-go-v2/config` from 1.19.0 to 1.19.1 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/v1.19.1/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.19.0...v1.19.1) Updates `github.com/aws/aws-sdk-go-v2/feature/s3/manager` from 1.11.91 to 1.11.92 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/feature/s3/manager/v1.11.91...feature/s3/manager/v1.11.92) --- updated-dependencies: - dependency-name: cloud.google.com/go/kms dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/feature/s3/manager dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go ... Signed-off-by: dependabot[bot] --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 210972620..3f90f5a3a 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/getsops/sops/v3 go 1.19 require ( - cloud.google.com/go/kms v1.15.3 + cloud.google.com/go/kms v1.15.4 cloud.google.com/go/storage v1.33.0 filippo.io/age v1.1.1 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0 @@ -11,9 +11,9 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1 github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c github.com/aws/aws-sdk-go-v2 v1.21.2 - github.com/aws/aws-sdk-go-v2/config v1.19.0 + github.com/aws/aws-sdk-go-v2/config v1.19.1 github.com/aws/aws-sdk-go-v2/credentials v1.13.43 - github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.91 + github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.92 github.com/aws/aws-sdk-go-v2/service/kms v1.24.7 github.com/aws/aws-sdk-go-v2/service/s3 v1.40.2 github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 diff --git a/go.sum b/go.sum index 47eeb0bc4..1f2dfe092 100644 --- a/go.sum +++ b/go.sum @@ -7,8 +7,8 @@ cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGB cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= cloud.google.com/go/iam v1.1.2 h1:gacbrBdWcoVmGLozRuStX45YKvJtzIjJdAolzUs1sm4= cloud.google.com/go/iam v1.1.2/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU= -cloud.google.com/go/kms v1.15.3 h1:RYsbxTRmk91ydKCzekI2YjryO4c5Y2M80Zwcs9/D/cI= -cloud.google.com/go/kms v1.15.3/go.mod h1:AJdXqHxS2GlPyduM99s9iGqi2nwbviBbhV/hdmt4iOQ= +cloud.google.com/go/kms v1.15.4 h1:gEZzC54ZBI+aeW8/jg9tgz9KR4Aa+WEDPbdGIV3iJ7A= +cloud.google.com/go/kms v1.15.4/go.mod h1:L3Sdj6QTHK8dfwK5D1JLsAyELsNMnd3tAIwGS4ltKpc= cloud.google.com/go/storage v1.33.0 h1:PVrDOkIC8qQVa1P3SXGpQvfuJhN2LHOoyZvWs8D2X5M= cloud.google.com/go/storage v1.33.0/go.mod h1:Hhh/dogNRGca7IWv1RC2YqEn0c0G77ctA/OxflYkiD8= filippo.io/age v1.1.1 h1:pIpO7l151hCnQ4BdyBujnGP2YlUo0uj6sAVNHGBvXHg= @@ -40,14 +40,14 @@ github.com/aws/aws-sdk-go-v2 v1.21.2 h1:+LXZ0sgo8quN9UOKXXzAWRT3FWd4NxeXWOZom9pE github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14 h1:Sc82v7tDQ/vdU1WtuSyzZ1I7y/68j//HJ6uozND1IDs= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14/go.mod h1:9NCTOURS8OpxvoAVHq79LK81/zC78hfRWFn+aL0SPcY= -github.com/aws/aws-sdk-go-v2/config v1.19.0 h1:AdzDvwH6dWuVARCl3RTLGRc4Ogy+N7yLFxVxXe1ClQ0= -github.com/aws/aws-sdk-go-v2/config v1.19.0/go.mod h1:ZwDUgFnQgsazQTnWfeLWk5GjeqTQTL8lMkoE1UXzxdE= +github.com/aws/aws-sdk-go-v2/config v1.19.1 h1:oe3vqcGftyk40icfLymhhhNysAwk0NfiwkDi2GTPMXs= +github.com/aws/aws-sdk-go-v2/config v1.19.1/go.mod h1:ZwDUgFnQgsazQTnWfeLWk5GjeqTQTL8lMkoE1UXzxdE= github.com/aws/aws-sdk-go-v2/credentials v1.13.43 h1:LU8vo40zBlo3R7bAvBVy/ku4nxGEyZe9N8MqAeFTzF8= github.com/aws/aws-sdk-go-v2/credentials v1.13.43/go.mod h1:zWJBz1Yf1ZtX5NGax9ZdNjhhI4rgjfgsyk6vTY1yfVg= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 h1:PIktER+hwIG286DqXyvVENjgLTAwGgoeriLDD5C+YlQ= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13/go.mod h1:f/Ib/qYjhV2/qdsf79H3QP/eRE4AkVyEf6sk7XfZ1tg= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.91 h1:haAyxKHwoE+y/TJt+qHcPQf1dCViyyGbWcKjjYUllTE= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.91/go.mod h1:ACQ6ta5YFlfSOz2c9A+EVYawLxFMZ0rI3Q0A0tGieKo= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.92 h1:nLA7dGFC6v4P6b+hzqt5GqIGmIuN+jTJzojfdOLXWFE= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.92/go.mod h1:h+ei9z19AhoN+Dac92DwkzfbJ4mFUea92xgl5pKSG0Q= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 h1:nFBQlGtkbPzp/NjZLuFxRqmT91rLJkgvsEQs68h962Y= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43/go.mod h1:auo+PiyLl0n1l8A0e8RIeR8tOzYPfZZH/JNlrJ8igTQ= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 h1:JRVhO25+r3ar2mKGP7E0LDl8K9/G36gjlqca5iQbaqc= From 02c65971c44a4c942350c738c72d164ef5966c45 Mon Sep 17 00:00:00 2001 From: Bastien Wermeille Date: Fri, 3 Nov 2023 07:29:47 +0100 Subject: [PATCH 128/135] Improve README.rst Signed-off-by: Bastien Wermeille --- README.rst | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/README.rst b/README.rst index 5ed120d1a..2400172c7 100644 --- a/README.rst +++ b/README.rst @@ -203,7 +203,7 @@ configuration directory. On Linux, this would be ``$XDG_CONFIG_HOME/sops/age/key On macOS, this would be ``$HOME/Library/Application Support/sops/age/keys.txt``. On Windows, this would be ``%AppData%\sops\age\keys.txt``. You can specify the location of this file manually by setting the environment variable **SOPS_AGE_KEY_FILE**. -Alternatively you can provide the the key(s) directly by setting the **SOPS_AGE_KEY** +Alternatively, you can provide the key(s) directly by setting the **SOPS_AGE_KEY** environment variable. The contents of this key file should be a list of age X25519 identities, one @@ -483,7 +483,7 @@ with the freshly added master keys. The removed entries are simply deleted from the file. When removing keys, it is recommended to rotate the data key using ``-r``, -otherwise owners of the removed key may have add access to the data key in the +otherwise, owners of the removed key may have add access to the data key in the past. KMS AWS Profiles @@ -566,7 +566,7 @@ SOPS has the ability to use `AWS KMS key policy and encryption context `_ to refine the access control of a given KMS master key. -When creating a new file, you can specify encryption context in the +When creating a new file, you can specify the encryption context in the ``--encryption-context`` flag by comma separated list of key-value pairs: .. code:: sh @@ -977,7 +977,7 @@ written to disk. If the command you want to run only operates on files, you can use ``exec-file`` -instead. By default SOPS will use a FIFO to pass the contents of the +instead. By default, SOPS will use a FIFO to pass the contents of the decrypted file to the new program. Using a FIFO, secrets are only passed in memory which has two benefits: the plaintext secrets never touch the disk, and the child process can only read the secrets once. In contexts where this won't @@ -1094,8 +1094,8 @@ configuring the client. ``vault_kv_mount_name`` is used if your Vault KV is mounted somewhere other than ``secret/``. ``vault_kv_version`` supports ``1`` and ``2``, with ``2`` being the default. -If destination secret path already exists in Vault and contains same data as the source file, it -will be skipped. +If the destination secret path already exists in Vault and contains the same data as the source +file, it will be skipped. Below is an example of publishing to Vault (using token auth with a local dev instance of Vault). @@ -1445,7 +1445,7 @@ will encrypt the values under the ``data`` and ``stringData`` keys in a YAML fil containing kubernetes secrets. It will not encrypt other values that help you to navigate the file, like ``metadata`` which contains the secrets' names. -Conversely, you can opt in to only left certain keys without encrypting by using the +Conversely, you can opt in to only leave certain keys without encrypting by using the ``--unencrypted-regex`` option, which will leave the values unencrypted of those keys that match the supplied regular expression. For example, this command: From 68ae61bbbd1c591d010fec405dbbd5fce8d70f68 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Thu, 2 Nov 2023 22:23:10 +0100 Subject: [PATCH 129/135] Fix typos. Signed-off-by: Felix Fontein --- cmd/sops/main.go | 2 +- functional-tests/src/lib.rs | 2 +- hcvault/keysource_test.go | 2 +- kms/keysource_test.go | 4 ++-- pgp/keysource.go | 4 ++-- shamir/shamir_test.go | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/cmd/sops/main.go b/cmd/sops/main.go index 261c8421d..0d72453a1 100644 --- a/cmd/sops/main.go +++ b/cmd/sops/main.go @@ -390,7 +390,7 @@ func main() { }, cli.StringSliceFlag{ Name: "hc-vault-transit", - Usage: "the full vault path to the key used to encrypt/decrypt. Make you choose and configure a key with encrption/decryption enabled (e.g. 'https://vault.example.org:8200/v1/transit/keys/dev'). Can be specified more than once", + Usage: "the full vault path to the key used to encrypt/decrypt. Make you choose and configure a key with encryption/decryption enabled (e.g. 'https://vault.example.org:8200/v1/transit/keys/dev'). Can be specified more than once", }, cli.StringSliceFlag{ Name: "age", diff --git a/functional-tests/src/lib.rs b/functional-tests/src/lib.rs index e5e92f799..98881d4ee 100644 --- a/functional-tests/src/lib.rs +++ b/functional-tests/src/lib.rs @@ -508,7 +508,7 @@ b: ba"# .expect("Error running sops"); assert!(!output.status .success(), - "SOPS succeeded decrypting a file with a missing decrytion key"); + "SOPS succeeded decrypting a file with a missing decryption key"); } #[test] diff --git a/hcvault/keysource_test.go b/hcvault/keysource_test.go index 5f548caac..54eb2fcb0 100644 --- a/hcvault/keysource_test.go +++ b/hcvault/keysource_test.go @@ -85,7 +85,7 @@ func TestMain(m *testing.M) { code = m.Run() } - // This can't be deferred, as os.Exit simpy does not care + // This can't be deferred, as os.Exit simply does not care if err := pool.Purge(resource); err != nil { logger.Fatalf("could not purge resource: %s", err) } diff --git a/kms/keysource_test.go b/kms/keysource_test.go index c9898d395..a2bb76b3f 100644 --- a/kms/keysource_test.go +++ b/kms/keysource_test.go @@ -101,7 +101,7 @@ func TestMain(m *testing.M) { code = m.Run() } - // This can't be deferred, as os.Exit simpy does not care + // This can't be deferred, as os.Exit simply does not care if err := pool.Purge(resource); err != nil { logger.Fatalf("could not purge resource: %s", err) } @@ -556,7 +556,7 @@ func Test_stsSessionName(t *testing.T) { } got, err := stsSessionName() assert.Error(t, err) - assert.ErrorContains(t, err, "failed to construct STS session nam") + assert.ErrorContains(t, err, "failed to construct STS session name") assert.Empty(t, got) }) diff --git a/pgp/keysource.go b/pgp/keysource.go index 7c14ff265..a95c4d008 100644 --- a/pgp/keysource.go +++ b/pgp/keysource.go @@ -240,7 +240,7 @@ func (r SecRing) ApplyToMasterKey(key *MasterKey) { // errSet is a collection of captured errors. type errSet []error -// Error joins the errors into a "; " seperated string. +// Error joins the errors into a "; " separated string. func (e errSet) Error() string { str := make([]string, len(e)) for i, err := range e { @@ -623,7 +623,7 @@ func gnuPGHome(customPath string) string { } // shortenFingerprint returns the short ID of the given fingerprint. -// This is mostly used for compatability reasons, as older versions of GnuPG +// This is mostly used for compatibility reasons, as older versions of GnuPG // do not always like long IDs. func shortenFingerprint(fingerprint string) string { if offset := len(fingerprint) - 16; offset > 0 { diff --git a/shamir/shamir_test.go b/shamir/shamir_test.go index 7719ed01f..18727a89d 100644 --- a/shamir/shamir_test.go +++ b/shamir/shamir_test.go @@ -54,7 +54,7 @@ func TestCombine_invalid(t *testing.T) { t.Fatalf("should err") } - // Mis-match in length + // Mismatch in length parts := [][]byte{ []byte("foo"), []byte("ba"), From 59344842e7358d1d2a884190e36325ba84a3faa3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Nov 2023 09:20:00 +0000 Subject: [PATCH 130/135] build(deps): Bump the go group with 7 updates Bumps the go group with 7 updates: | Package | From | To | | --- | --- | --- | | [cloud.google.com/go/kms](https://github.com/googleapis/google-cloud-go) | `1.15.4` | `1.15.5` | | [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go) | `1.33.0` | `1.34.1` | | [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2) | `1.21.2` | `1.22.1` | | [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) | `1.19.1` | `1.22.0` | | [github.com/aws/aws-sdk-go-v2/feature/s3/manager](https://github.com/aws/aws-sdk-go-v2) | `1.11.92` | `1.13.1` | | [github.com/aws/aws-sdk-go-v2/service/kms](https://github.com/aws/aws-sdk-go-v2) | `1.24.7` | `1.26.0` | | [github.com/fatih/color](https://github.com/fatih/color) | `1.15.0` | `1.16.0` | Updates `cloud.google.com/go/kms` from 1.15.4 to 1.15.5 - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/kms/v1.15.4...kms/v1.15.5) Updates `cloud.google.com/go/storage` from 1.33.0 to 1.34.1 - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.33.0...spanner/v1.34.1) Updates `github.com/aws/aws-sdk-go-v2` from 1.21.2 to 1.22.1 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.21.2...v1.22.1) Updates `github.com/aws/aws-sdk-go-v2/config` from 1.19.1 to 1.22.0 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.19.1...v1.22.0) Updates `github.com/aws/aws-sdk-go-v2/feature/s3/manager` from 1.11.92 to 1.13.1 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/config/v1.13.1/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/feature/s3/manager/v1.11.92...config/v1.13.1) Updates `github.com/aws/aws-sdk-go-v2/service/kms` from 1.24.7 to 1.26.0 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/service/s3/v1.26.0/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/fsx/v1.24.7...service/s3/v1.26.0) Updates `github.com/fatih/color` from 1.15.0 to 1.16.0 - [Release notes](https://github.com/fatih/color/releases) - [Commits](https://github.com/fatih/color/compare/v1.15.0...v1.16.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/kms dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: cloud.google.com/go/storage dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/feature/s3/manager dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/service/kms dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/fatih/color dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go ... Signed-off-by: dependabot[bot] --- go.mod | 66 ++++++++++++++-------------- go.sum | 133 ++++++++++++++++++++++++++++----------------------------- 2 files changed, 99 insertions(+), 100 deletions(-) diff --git a/go.mod b/go.mod index 3f90f5a3a..2b7a92f57 100644 --- a/go.mod +++ b/go.mod @@ -3,22 +3,22 @@ module github.com/getsops/sops/v3 go 1.19 require ( - cloud.google.com/go/kms v1.15.4 - cloud.google.com/go/storage v1.33.0 + cloud.google.com/go/kms v1.15.5 + cloud.google.com/go/storage v1.34.1 filippo.io/age v1.1.1 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1 github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c - github.com/aws/aws-sdk-go-v2 v1.21.2 - github.com/aws/aws-sdk-go-v2/config v1.19.1 - github.com/aws/aws-sdk-go-v2/credentials v1.13.43 - github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.92 - github.com/aws/aws-sdk-go-v2/service/kms v1.24.7 - github.com/aws/aws-sdk-go-v2/service/s3 v1.40.2 - github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 + github.com/aws/aws-sdk-go-v2 v1.22.1 + github.com/aws/aws-sdk-go-v2/config v1.22.0 + github.com/aws/aws-sdk-go-v2/credentials v1.15.1 + github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.13.1 + github.com/aws/aws-sdk-go-v2/service/kms v1.26.0 + github.com/aws/aws-sdk-go-v2/service/s3 v1.42.0 + github.com/aws/aws-sdk-go-v2/service/sts v1.25.0 github.com/blang/semver v3.5.1+incompatible - github.com/fatih/color v1.15.0 + github.com/fatih/color v1.16.0 github.com/getsops/gopgagent v0.0.0-20170926210634-4d7ea76ff71a github.com/golang/protobuf v1.5.3 github.com/google/go-cmp v0.6.0 @@ -35,10 +35,10 @@ require ( github.com/stretchr/testify v1.8.4 github.com/urfave/cli v1.22.14 golang.org/x/net v0.17.0 - golang.org/x/sys v0.13.0 + golang.org/x/sys v0.14.0 golang.org/x/term v0.13.0 - google.golang.org/api v0.148.0 - google.golang.org/genproto/googleapis/rpc v0.0.0-20231012201019-e917dd12ba7a + google.golang.org/api v0.149.0 + google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b google.golang.org/grpc v1.59.0 google.golang.org/protobuf v1.31.0 gopkg.in/ini.v1 v1.67.0 @@ -47,28 +47,28 @@ require ( require ( cloud.google.com/go v0.110.8 // indirect - cloud.google.com/go/compute v1.23.0 // indirect + cloud.google.com/go/compute v1.23.1 // indirect cloud.google.com/go/compute/metadata v0.2.3 // indirect - cloud.google.com/go/iam v1.1.2 // indirect + cloud.google.com/go/iam v1.1.3 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 // indirect github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect github.com/Microsoft/go-winio v0.6.0 // indirect github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect - github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 // indirect - github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.6 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.15 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.38 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.6 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 // indirect - github.com/aws/smithy-go v1.15.0 // indirect + github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.0 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.2 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.1 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.1 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.5.0 // indirect + github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.1 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.0 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.1 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.1 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.1 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.17.0 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.19.0 // indirect + github.com/aws/smithy-go v1.16.0 // indirect github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/cenkalti/backoff/v4 v4.1.3 // indirect github.com/cloudflare/circl v1.3.3 // indirect @@ -84,8 +84,8 @@ require ( github.com/golang-jwt/jwt/v5 v5.0.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/google/s2a-go v0.1.7 // indirect - github.com/google/uuid v1.3.1 // indirect - github.com/googleapis/enterprise-certificate-proxy v0.3.1 // indirect + github.com/google/uuid v1.4.0 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect github.com/googleapis/gax-go/v2 v2.12.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-hclog v1.2.1 // indirect @@ -101,7 +101,7 @@ require ( github.com/kr/text v0.2.0 // indirect github.com/kylelemons/godebug v1.1.0 // indirect github.com/mattn/go-colorable v0.1.13 // indirect - github.com/mattn/go-isatty v0.0.17 // indirect + github.com/mattn/go-isatty v0.0.20 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/moby/term v0.0.0-20201216013528-df9cb8a40635 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect @@ -124,8 +124,8 @@ require ( golang.org/x/tools v0.7.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20231002182017-d307bd883b97 // indirect + google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b // indirect gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect ) diff --git a/go.sum b/go.sum index 1f2dfe092..89eb1cb34 100644 --- a/go.sum +++ b/go.sum @@ -1,16 +1,16 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.110.8 h1:tyNdfIxjzaWctIiLYOTalaLKZ17SI44SKFW26QbOhME= cloud.google.com/go v0.110.8/go.mod h1:Iz8AkXJf1qmxC3Oxoep8R1T36w8B92yU29PcBhHO5fk= -cloud.google.com/go/compute v1.23.0 h1:tP41Zoavr8ptEqaW6j+LQOnyBBhO7OkOMAGrgLopTwY= -cloud.google.com/go/compute v1.23.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= +cloud.google.com/go/compute v1.23.1 h1:V97tBoDaZHb6leicZ1G6DLK2BAaZLJ/7+9BB/En3hR0= +cloud.google.com/go/compute v1.23.1/go.mod h1:CqB3xpmPKKt3OJpW2ndFIXnA9A4xAy/F3Xp1ixncW78= cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= -cloud.google.com/go/iam v1.1.2 h1:gacbrBdWcoVmGLozRuStX45YKvJtzIjJdAolzUs1sm4= -cloud.google.com/go/iam v1.1.2/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU= -cloud.google.com/go/kms v1.15.4 h1:gEZzC54ZBI+aeW8/jg9tgz9KR4Aa+WEDPbdGIV3iJ7A= -cloud.google.com/go/kms v1.15.4/go.mod h1:L3Sdj6QTHK8dfwK5D1JLsAyELsNMnd3tAIwGS4ltKpc= -cloud.google.com/go/storage v1.33.0 h1:PVrDOkIC8qQVa1P3SXGpQvfuJhN2LHOoyZvWs8D2X5M= -cloud.google.com/go/storage v1.33.0/go.mod h1:Hhh/dogNRGca7IWv1RC2YqEn0c0G77ctA/OxflYkiD8= +cloud.google.com/go/iam v1.1.3 h1:18tKG7DzydKWUnLjonWcJO6wjSCAtzh4GcRKlH/Hrzc= +cloud.google.com/go/iam v1.1.3/go.mod h1:3khUlaBXfPKKe7huYgEpDn6FtgRyMEqbkvBxrQyY5SE= +cloud.google.com/go/kms v1.15.5 h1:pj1sRfut2eRbD9pFRjNnPNg/CzJPuQAzUujMIM1vVeM= +cloud.google.com/go/kms v1.15.5/go.mod h1:cU2H5jnp6G2TDpUGZyqTCoy1n16fbubHZjmVXSMtwDI= +cloud.google.com/go/storage v1.34.1 h1:H2Af2dU5J0PF7A5B+ECFIce+RqxVnrVilO+cu0TS3MI= +cloud.google.com/go/storage v1.34.1/go.mod h1:VN1ElqqvR9adg1k9xlkUJ55cMOP1/QjnNNuT5xQL6dY= filippo.io/age v1.1.1 h1:pIpO7l151hCnQ4BdyBujnGP2YlUo0uj6sAVNHGBvXHg= filippo.io/age v1.1.1/go.mod h1:l03SrzDUrBkdBx8+IILdnn2KZysqQdbEBUQ4p3sqEQE= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0 h1:9kDVnTz3vbfweTqAUmk/a/pH5pWFCHtvRpHYC0G/dcA= @@ -36,46 +36,46 @@ github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8 github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c h1:kMFnB0vCcX7IL/m9Y5LO+KQYv+t1CQOiFe6+SV2J7bE= github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= -github.com/aws/aws-sdk-go-v2 v1.21.2 h1:+LXZ0sgo8quN9UOKXXzAWRT3FWd4NxeXWOZom9pE7GA= -github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14 h1:Sc82v7tDQ/vdU1WtuSyzZ1I7y/68j//HJ6uozND1IDs= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14/go.mod h1:9NCTOURS8OpxvoAVHq79LK81/zC78hfRWFn+aL0SPcY= -github.com/aws/aws-sdk-go-v2/config v1.19.1 h1:oe3vqcGftyk40icfLymhhhNysAwk0NfiwkDi2GTPMXs= -github.com/aws/aws-sdk-go-v2/config v1.19.1/go.mod h1:ZwDUgFnQgsazQTnWfeLWk5GjeqTQTL8lMkoE1UXzxdE= -github.com/aws/aws-sdk-go-v2/credentials v1.13.43 h1:LU8vo40zBlo3R7bAvBVy/ku4nxGEyZe9N8MqAeFTzF8= -github.com/aws/aws-sdk-go-v2/credentials v1.13.43/go.mod h1:zWJBz1Yf1ZtX5NGax9ZdNjhhI4rgjfgsyk6vTY1yfVg= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 h1:PIktER+hwIG286DqXyvVENjgLTAwGgoeriLDD5C+YlQ= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13/go.mod h1:f/Ib/qYjhV2/qdsf79H3QP/eRE4AkVyEf6sk7XfZ1tg= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.92 h1:nLA7dGFC6v4P6b+hzqt5GqIGmIuN+jTJzojfdOLXWFE= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.92/go.mod h1:h+ei9z19AhoN+Dac92DwkzfbJ4mFUea92xgl5pKSG0Q= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 h1:nFBQlGtkbPzp/NjZLuFxRqmT91rLJkgvsEQs68h962Y= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43/go.mod h1:auo+PiyLl0n1l8A0e8RIeR8tOzYPfZZH/JNlrJ8igTQ= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 h1:JRVhO25+r3ar2mKGP7E0LDl8K9/G36gjlqca5iQbaqc= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37/go.mod h1:Qe+2KtKml+FEsQF/DHmDV+xjtche/hwoF75EG4UlHW8= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 h1:hze8YsjSh8Wl1rYa1CJpRmXP21BvOBuc76YhW0HsuQ4= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45/go.mod h1:lD5M20o09/LCuQ2mE62Mb/iSdSlCNuj6H5ci7tW7OsE= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.6 h1:wmGLw2i8ZTlHLw7a9ULGfQbuccw8uIiNr6sol5bFzc8= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.6/go.mod h1:Q0Hq2X/NuL7z8b1Dww8rmOFl+jzusKEcyvkKspwdpyc= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.15 h1:7R8uRYyXzdD71KWVCL78lJZltah6VVznXBazvKjfH58= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.15/go.mod h1:26SQUPcTNgV1Tapwdt4a1rOsYRsnBsJHLMPoxK2b0d8= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.38 h1:skaFGzv+3kA+v2BPKhuekeb1Hbb105+44r8ASC+q5SE= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.38/go.mod h1:epIZoRSSbRIwLPJU5F+OldHhwZPBdpDeQkRdCeY3+00= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 h1:WWZA/I2K4ptBS1kg0kV1JbBtG/umed0vwHRrmcr9z7k= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37/go.mod h1:vBmDnwWXWxNPFRMmG2m/3MKOe+xEcMDo1tanpaWCcck= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.6 h1:9ulSU5ClouoPIYhDQdg9tpl83d5Yb91PXTKK+17q+ow= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.6/go.mod h1:lnc2taBsR9nTlz9meD+lhFZZ9EWY712QHrRflWpTcOA= -github.com/aws/aws-sdk-go-v2/service/kms v1.24.7 h1:uRGw0UKo5hc7M2T7uGsK/Yg2qwecq/dnVjQbbq9RCzY= -github.com/aws/aws-sdk-go-v2/service/kms v1.24.7/go.mod h1:z3O9CXfVrKAV3c9fMWOUUv2C6N2ggXCDHeXpOB6lAEk= -github.com/aws/aws-sdk-go-v2/service/s3 v1.40.2 h1:Ll5/YVCOzRB+gxPqs2uD0R7/MyATC0w85626glSKmp4= -github.com/aws/aws-sdk-go-v2/service/s3 v1.40.2/go.mod h1:Zjfqt7KhQK+PO1bbOsFNzKgaq7TcxzmEoDWN8lM0qzQ= -github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 h1:JuPGc7IkOP4AaqcZSIcyqLpFSqBWK32rM9+a1g6u73k= -github.com/aws/aws-sdk-go-v2/service/sso v1.15.2/go.mod h1:gsL4keucRCgW+xA85ALBpRFfdSLH4kHOVSnLMSuBECo= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 h1:HFiiRkf1SdaAmV3/BHOFZ9DjFynPHj8G/UIO1lQS+fk= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3/go.mod h1:a7bHA82fyUXOm+ZSWKU6PIoBxrjSprdLoM8xPYvzYVg= -github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 h1:0BkLfgeDjfZnZ+MhB3ONb01u9pwFYTCZVhlsSSBvlbU= -github.com/aws/aws-sdk-go-v2/service/sts v1.23.2/go.mod h1:Eows6e1uQEsc4ZaHANmsPRzAKcVDrcmjjWiih2+HUUQ= -github.com/aws/smithy-go v1.15.0 h1:PS/durmlzvAFpQHDs4wi4sNNP9ExsqZh6IlfdHXgKK8= -github.com/aws/smithy-go v1.15.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/aws/aws-sdk-go-v2 v1.22.1 h1:sjnni/AuoTXxHitsIdT0FwmqUuNUuHtufcVDErVFT9U= +github.com/aws/aws-sdk-go-v2 v1.22.1/go.mod h1:Kd0OJtkW3Q0M0lUWGszapWjEvrXDzRW+D21JNsroB+c= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.0 h1:hHgLiIrTRtddC0AKcJr5s7i/hLgcpTt+q/FKxf1Zayk= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.0/go.mod h1:w4I/v3NOWgD+qvs1NPEwhd++1h3XPHFaVxasfY6HlYQ= +github.com/aws/aws-sdk-go-v2/config v1.22.0 h1:9Mm99OalzZRz0ab5fpodMoHBApHS6pqRNp3M9NmzvDg= +github.com/aws/aws-sdk-go-v2/config v1.22.0/go.mod h1:2eWgw5lps8fKI7LZVTrRTYP6HE6k/uEFUuTSHfXwqP0= +github.com/aws/aws-sdk-go-v2/credentials v1.15.1 h1:hmf6lAm9hk7uLCfapZn/jL05lm6Uwdbn1B0fgjyuf4M= +github.com/aws/aws-sdk-go-v2/credentials v1.15.1/go.mod h1:QTcHga3ZbQOneJuxmGBOCxiClxmp+TlvmjFexAnJ790= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.2 h1:gIeH4+o1MN/caGBWjoGQTUTIu94xD6fI5B2+TcwBf70= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.2/go.mod h1:wLyMIo/zPOhQhPXTddpfdkSleyigtFi8iMnC+2m/SK4= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.13.1 h1:ULswbgGNVrW8zEhkCNwrwXrs1mUvy2JTqWaCRsD2ZZw= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.13.1/go.mod h1:pAXgsDPk1rRwwfkz8/9ISO75vXEHqTGIgbLhGqqQ1GY= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.1 h1:fi1ga6WysOyYb5PAf3Exd6B5GiSNpnZim4h1rhlBqx0= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.1/go.mod h1:V5CY8wNurvPUibTi9mwqUqpiFZ5LnioKWIFUDtIzdI8= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.1 h1:ZpaV/j48RlPc4AmOZuPv22pJliXjXq8/reL63YzyFnw= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.1/go.mod h1:R8aXraabD2e3qv1csxM14/X9WF4wFMIY0kH4YEtYD5M= +github.com/aws/aws-sdk-go-v2/internal/ini v1.5.0 h1:DqOQvIfmGkXZUVJnl9VRk0AnxyS59tCtX9k1Pyss4Ak= +github.com/aws/aws-sdk-go-v2/internal/ini v1.5.0/go.mod h1:VV/Kbw9Mg1GWJOT9WK+oTL3cWZiXtapnNvDSRqTZLsg= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.1 h1:vzYLDkwTw4CY0vUk84MeSufRf8XIsC/GsoIFXD60sTg= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.1/go.mod h1:ToBFBnjeGR2ruMx8IWp/y7vSK3Irj5/oPwifruiqoOM= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.0 h1:CJxo7ZBbaIzmXfV3hjcx36n9V87gJsIUPJflwqEHl3Q= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.0/go.mod h1:yjVfjuY4nD1EW9i387Kau+I6V5cBA5YnC/mWNopjZrI= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.1 h1:15FUCJzAP9Y25nioTqTrGlZmhOtthaXBWlt4pS+d3Xo= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.1/go.mod h1:5655NW53Un6l7JzkI6AA3rZvf0m532cSnLThA1fVXcA= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.1 h1:2OXw3ppu1XsB6rqKEMV4tnecTjIY3PRV2U6IP6KPJQo= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.1/go.mod h1:FZB4AdakIqW/yERVdGJA6Z9jraax1beXfhBBnK2wwR8= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.1 h1:dnl0klXYX9EKpzZbWlH5LJL+YTcEZcJEMPFFr/rAHUQ= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.1/go.mod h1:Mfk/9Joso4tCQYzM4q4HRUIqwln8lnIIMB/OE8Zebdc= +github.com/aws/aws-sdk-go-v2/service/kms v1.26.0 h1:lz/ISKzLItwOZNwz0BQSkikD8l/TKMYPjihgDofXYR0= +github.com/aws/aws-sdk-go-v2/service/kms v1.26.0/go.mod h1:/Vo6A21xdlIYOsAbK+VgFzyG5gMsHk5n7bwco1kI4jg= +github.com/aws/aws-sdk-go-v2/service/s3 v1.42.0 h1:u0YoSrxjr3Lm+IqIlRAV+4YTFwkXjyB9db9CfUFge2w= +github.com/aws/aws-sdk-go-v2/service/s3 v1.42.0/go.mod h1:98EIdRu+BNsdqITsXfy+57TZfwlUQC9aDn9a9qoo90U= +github.com/aws/aws-sdk-go-v2/service/sso v1.17.0 h1:I/Oh3IxGPfHXiGnwM54TD6hNr/8TlUrBXAtTyGhR+zw= +github.com/aws/aws-sdk-go-v2/service/sso v1.17.0/go.mod h1:H6NCMvDBqA+CvIaXzaSqM6LWtzv9BzZrqBOqz+PzRF8= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.19.0 h1:irbXQkfVYIRaewYSXcu4yVk0m2T+JzZd0dkop7FjmO0= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.19.0/go.mod h1:4wPNCkM22+oRe71oydP66K50ojDUC33XutSMi2pEF/M= +github.com/aws/aws-sdk-go-v2/service/sts v1.25.0 h1:sYIFy8tm1xQwRvVQ4CRuBGXKIg9sHNuG6+3UAQuoujk= +github.com/aws/aws-sdk-go-v2/service/sts v1.25.0/go.mod h1:S/LOQUeYDfJeJpFCIJDMjy7dwL4aA33HUdVi+i7uH8k= +github.com/aws/smithy-go v1.16.0 h1:gJZEH/Fqh+RsvlJ1Zt4tVAtV6bKkp3cC+R6FCZMNzik= +github.com/aws/smithy-go v1.16.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= @@ -120,8 +120,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= -github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs= -github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw= +github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= +github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= github.com/getsops/gopgagent v0.0.0-20170926210634-4d7ea76ff71a h1:qc+7TV35Pq/FlgqECyS5ywq8cSN9j1fwZg6uyZ7G0B0= github.com/getsops/gopgagent v0.0.0-20170926210634-4d7ea76ff71a/go.mod h1:awFzISqLJoZLm+i9QQ4SgMNHDqljH6jWV0B36V5MrUM= @@ -161,7 +161,6 @@ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw= @@ -170,10 +169,10 @@ github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= -github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/enterprise-certificate-proxy v0.3.1 h1:SBWmZhjUDRorQxrN0nwzf+AHBxnbFjViHQS4P0yVpmQ= -github.com/googleapis/enterprise-certificate-proxy v0.3.1/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= +github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4= +github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs= +github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas= github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU= github.com/goware/prefixer v0.0.0-20160118172347-395022866408 h1:Y9iQJfEqnN3/Nce9cOegemcy/9Ai5k3huT6E80F3zaw= @@ -232,8 +231,8 @@ github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNx github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= -github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng= -github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= +github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= +github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= @@ -386,8 +385,8 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= -golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q= +golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= @@ -425,8 +424,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -google.golang.org/api v0.148.0 h1:HBq4TZlN4/1pNcu0geJZ/Q50vIwIXT532UIMYoo0vOs= -google.golang.org/api v0.148.0/go.mod h1:8/TBgwaKjfqTdacOJrOv2+2Q6fBDU1uHKK06oGSkxzU= +google.golang.org/api v0.149.0 h1:b2CqT6kG+zqJIVKRQ3ELJVLN1PwHZ6DJ3dW8yl82rgY= +google.golang.org/api v0.149.0/go.mod h1:Mwn1B7JTXrzXtnvmzQE2BD6bYZQ8DShKZDZbeN9I7qI= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= @@ -434,12 +433,12 @@ google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCID google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97 h1:SeZZZx0cP0fqUyA+oRzP9k7cSwJlvDFiROO72uwD6i0= -google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97/go.mod h1:t1VqOqqvce95G3hIDCT5FeO3YUc6Q4Oe24L/+rNMxRk= -google.golang.org/genproto/googleapis/api v0.0.0-20231002182017-d307bd883b97 h1:W18sezcAYs+3tDZX4F80yctqa12jcP1PUS2gQu1zTPU= -google.golang.org/genproto/googleapis/api v0.0.0-20231002182017-d307bd883b97/go.mod h1:iargEX0SFPm3xcfMI0d1domjg0ZF4Aa0p2awqyxhvF0= -google.golang.org/genproto/googleapis/rpc v0.0.0-20231012201019-e917dd12ba7a h1:a2MQQVoTo96JC9PMGtGBymLp7+/RzpFc2yX/9WfFg1c= -google.golang.org/genproto/googleapis/rpc v0.0.0-20231012201019-e917dd12ba7a/go.mod h1:4cYg8o5yUbm77w8ZX00LhMVNl/YVBFJRYWDc0uYWMs0= +google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b h1:+YaDE2r2OG8t/z5qmsh7Y+XXwCbvadxxZ0YY6mTdrVA= +google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:CgAqfJo+Xmu0GwA0411Ht3OU3OntXwsGmrmjI8ioGXI= +google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b h1:CIC2YMXmIhYw6evmhPxBKJ4fmLbOFtXQN/GV3XOZR8k= +google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:IBQ646DjkDkvUIsVq/cc03FUFQ9wbZu7yE396YcL870= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b h1:ZlWIi1wSK56/8hn4QcBp/j9M7Gt3U/3hZw3mC7vDICo= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:swOH3j0KzcDDgGUWr+SNpyTen5YrXjS3eyPzFYKc6lc= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= From d040aae29114926ad31b2a65b65c6f70c81cdbae Mon Sep 17 00:00:00 2001 From: Mitar Date: Sat, 18 Dec 2021 21:50:57 +0100 Subject: [PATCH 131/135] Support computing MAC only over values which end up encrypted Signed-off-by: Mitar --- README.rst | 6 ++++ cmd/sops/edit.go | 2 ++ cmd/sops/encrypt.go | 2 ++ cmd/sops/main.go | 10 ++++++ config/config.go | 3 ++ config/config_test.go | 14 ++++++++ sops.go | 57 ++++++++++++++++++++--------- sops_test.go | 84 +++++++++++++++++++++++++++++++++++++++++++ stores/stores.go | 3 ++ 9 files changed, 165 insertions(+), 16 deletions(-) diff --git a/README.rst b/README.rst index 2400172c7..e1b206193 100644 --- a/README.rst +++ b/README.rst @@ -1427,6 +1427,9 @@ to any key of a file. When set, all values underneath the key that set the Note that, while in cleartext, unencrypted content is still added to the checksum of the file, and thus cannot be modified outside of SOPS without breaking the file integrity check. +This behavior can be modified using ``--mac-only-encrypted`` flag or ``.sops.yaml`` +config file which makes SOPS compute a MAC only over values it encrypted and +not all values. The unencrypted suffix can be set to a different value using the ``--unencrypted-suffix`` option. @@ -1539,6 +1542,9 @@ In addition to authenticating branches of the tree using keys as additional data, SOPS computes a MAC on all the values to ensure that no value has been added or removed fraudulently. The MAC is stored encrypted with AES_GCM and the data key under tree -> ``sops`` -> ``mac``. +This behavior can be modified using ``--mac-only-encrypted`` flag or ``.sops.yaml`` +config file which makes SOPS compute a MAC only over values it encrypted and +not all values. Motivation ---------- diff --git a/cmd/sops/edit.go b/cmd/sops/edit.go index 4ac92e487..d71906f1a 100644 --- a/cmd/sops/edit.go +++ b/cmd/sops/edit.go @@ -35,6 +35,7 @@ type editExampleOpts struct { EncryptedSuffix string UnencryptedRegex string EncryptedRegex string + MACOnlyEncrypted bool KeyGroups []sops.KeyGroup GroupThreshold int } @@ -65,6 +66,7 @@ func editExample(opts editExampleOpts) ([]byte, error) { EncryptedSuffix: opts.EncryptedSuffix, UnencryptedRegex: opts.UnencryptedRegex, EncryptedRegex: opts.EncryptedRegex, + MACOnlyEncrypted: opts.MACOnlyEncrypted, Version: version.Version, ShamirThreshold: opts.GroupThreshold, }, diff --git a/cmd/sops/encrypt.go b/cmd/sops/encrypt.go index f5b770e7a..826fa496a 100644 --- a/cmd/sops/encrypt.go +++ b/cmd/sops/encrypt.go @@ -23,6 +23,7 @@ type encryptOpts struct { EncryptedSuffix string UnencryptedRegex string EncryptedRegex string + MACOnlyEncrypted bool KeyGroups []sops.KeyGroup GroupThreshold int } @@ -82,6 +83,7 @@ func encrypt(opts encryptOpts) (encryptedFile []byte, err error) { EncryptedSuffix: opts.EncryptedSuffix, UnencryptedRegex: opts.UnencryptedRegex, EncryptedRegex: opts.EncryptedRegex, + MACOnlyEncrypted: opts.MACOnlyEncrypted, Version: version.Version, ShamirThreshold: opts.GroupThreshold, }, diff --git a/cmd/sops/main.go b/cmd/sops/main.go index 0d72453a1..6bcf8f98d 100644 --- a/cmd/sops/main.go +++ b/cmd/sops/main.go @@ -668,6 +668,10 @@ func main() { Name: "ignore-mac", Usage: "ignore Message Authentication Code during decryption", }, + cli.BoolFlag{ + Name: "mac-only-encrypted", + Usage: "compute MAC only over values which end up encrypted", + }, cli.StringFlag{ Name: "unencrypted-suffix", Usage: "override the unencrypted key suffix.", @@ -738,6 +742,7 @@ func main() { encryptedSuffix := c.String("encrypted-suffix") encryptedRegex := c.String("encrypted-regex") unencryptedRegex := c.String("unencrypted-regex") + macOnlyEncrypted := c.Bool("mac-only-encrypted") conf, err := loadConfig(c, fileName, nil) if err != nil { return toExitError(err) @@ -756,6 +761,9 @@ func main() { if unencryptedRegex == "" { unencryptedRegex = conf.UnencryptedRegex } + if !macOnlyEncrypted { + macOnlyEncrypted = conf.MACOnlyEncrypted + } } cryptRuleCount := 0 @@ -806,6 +814,7 @@ func main() { EncryptedSuffix: encryptedSuffix, UnencryptedRegex: unencryptedRegex, EncryptedRegex: encryptedRegex, + MACOnlyEncrypted: macOnlyEncrypted, KeyServices: svcs, KeyGroups: groups, GroupThreshold: threshold, @@ -963,6 +972,7 @@ func main() { EncryptedSuffix: encryptedSuffix, UnencryptedRegex: unencryptedRegex, EncryptedRegex: encryptedRegex, + MACOnlyEncrypted: macOnlyEncrypted, KeyGroups: groups, GroupThreshold: threshold, }) diff --git a/config/config.go b/config/config.go index 6f34e0066..67ddea1bb 100644 --- a/config/config.go +++ b/config/config.go @@ -123,6 +123,7 @@ type creationRule struct { EncryptedSuffix string `yaml:"encrypted_suffix"` UnencryptedRegex string `yaml:"unencrypted_regex"` EncryptedRegex string `yaml:"encrypted_regex"` + MACOnlyEncrypted bool `yaml:"mac_only_encrypted"` } // Load loads a sops config file into a temporary struct @@ -142,6 +143,7 @@ type Config struct { EncryptedSuffix string UnencryptedRegex string EncryptedRegex string + MACOnlyEncrypted bool Destination publish.Destination OmitExtensions bool } @@ -265,6 +267,7 @@ func configFromRule(rule *creationRule, kmsEncryptionContext map[string]*string) EncryptedSuffix: rule.EncryptedSuffix, UnencryptedRegex: rule.UnencryptedRegex, EncryptedRegex: rule.EncryptedRegex, + MACOnlyEncrypted: rule.MACOnlyEncrypted, }, nil } diff --git a/config/config_test.go b/config/config_test.go index 1c9814a41..8f4fb006b 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -158,6 +158,14 @@ creation_rules: unencrypted_regex: "^dec:" `) +var sampleConfigWithMACOnlyEncrypted = []byte(` +creation_rules: + - path_regex: barbar* + kms: "1" + pgp: "2" + mac_only_encrypted: true + `) + var sampleConfigWithInvalidParameters = []byte(` creation_rules: - path_regex: foobar* @@ -416,6 +424,12 @@ func TestLoadConfigFileWithEncryptedRegex(t *testing.T) { assert.Equal(t, "^enc:", conf.EncryptedRegex) } +func TestLoadConfigFileWithMACOnlyEncrypted(t *testing.T) { + conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithMACOnlyEncrypted, t), "/conf/path", "barbar", nil) + assert.Equal(t, nil, err) + assert.Equal(t, true, conf.MACOnlyEncrypted) +} + func TestLoadConfigFileWithInvalidParameters(t *testing.T) { _, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithInvalidParameters, t), "/conf/path", "foobar", nil) assert.NotNil(t, err) diff --git a/sops.go b/sops.go index 6371bcb8c..c5c0cce1a 100644 --- a/sops.go +++ b/sops.go @@ -77,6 +77,12 @@ var MacMismatch = &SopsError{10, "MAC mismatch"} // MetadataNotFound occurs when the input file is malformed and doesn't have sops metadata in it var MetadataNotFound = &SopsError{11, "sops metadata not found"} +// MACOnlyEncryptedInitialization is a constant and known sequence of 32 bytes used to initialize +// MAC which is computed only over values which end up encrypted. That assures that a MAC with the +// setting enabled is always different from a MAC with this setting disabled. +// The following numbers are taken from the output of `echo -n sops | sha256sum` (shell) or `hashlib.sha256(b'sops').hexdigest()` (Python). +var MACOnlyEncryptedInitialization = []byte{0x8a, 0x3f, 0xd2, 0xad, 0x54, 0xce, 0x66, 0x52, 0x7b, 0x10, 0x34, 0xf3, 0xd1, 0x47, 0xbe, 0xb, 0xb, 0x97, 0x5b, 0x3b, 0xf4, 0x4f, 0x72, 0xc6, 0xfd, 0xad, 0xec, 0x81, 0x76, 0xf2, 0x7d, 0x69} + var log *logrus.Logger func init() { @@ -298,22 +304,21 @@ func (branch TreeBranch) walkBranch(in TreeBranch, path []string, onLeaves func( // is provided (by default it is not), those not matching EncryptedRegex, // if EncryptedRegex is provided (by default it is not) or those matching // UnencryptedRegex, if UnencryptedRegex is provided (by default it is not). -// If encryption is successful, it returns the MAC for the encrypted tree. +// If encryption is successful, it returns the MAC for the encrypted tree +// (all values if MACOnlyEncrypted is false, or only over values which end +// up encrypted if MACOnlyEncrypted is true). func (tree Tree) Encrypt(key []byte, cipher Cipher) (string, error) { audit.SubmitEvent(audit.EncryptEvent{ File: tree.FilePath, }) hash := sha512.New() + if tree.Metadata.MACOnlyEncrypted { + // We initialize with known set of bytes so that a MAC with this setting + // enabled is always different from a MAC with this setting disabled. + hash.Write(MACOnlyEncryptedInitialization) + } walk := func(branch TreeBranch) error { _, err := branch.walkBranch(branch, make([]string, 0), func(in interface{}, path []string) (interface{}, error) { - // Only add to MAC if not a comment - if _, ok := in.(Comment); !ok { - bytes, err := ToBytes(in) - if err != nil { - return nil, fmt.Errorf("Could not convert %s to bytes: %s", in, err) - } - hash.Write(bytes) - } encrypted := true if tree.Metadata.UnencryptedSuffix != "" { for _, v := range path { @@ -351,6 +356,16 @@ func (tree Tree) Encrypt(key []byte, cipher Cipher) (string, error) { } } } + if !tree.Metadata.MACOnlyEncrypted || encrypted { + // Only add to MAC if not a comment + if _, ok := in.(Comment); !ok { + bytes, err := ToBytes(in) + if err != nil { + return nil, fmt.Errorf("Could not convert %s to bytes: %s", in, err) + } + hash.Write(bytes) + } + } if encrypted { var err error pathString := strings.Join(path, ":") + ":" @@ -378,13 +393,20 @@ func (tree Tree) Encrypt(key []byte, cipher Cipher) (string, error) { // those not ending with EncryptedSuffix, if EncryptedSuffix is provided (by default it is not), // those not matching EncryptedRegex, if EncryptedRegex is provided (by default it is not), // or those matching UnencryptedRegex, if UnencryptedRegex is provided (by default it is not). -// If decryption is successful, it returns the MAC for the decrypted tree. +// If decryption is successful, it returns the MAC for the decrypted tree +// (all values if MACOnlyEncrypted is false, or only over values which end +// up decrypted if MACOnlyEncrypted is true). func (tree Tree) Decrypt(key []byte, cipher Cipher) (string, error) { log.Debug("Decrypting tree") audit.SubmitEvent(audit.DecryptEvent{ File: tree.FilePath, }) hash := sha512.New() + if tree.Metadata.MACOnlyEncrypted { + // We initialize with known set of bytes so that a MAC with this setting + // enabled is always different from a MAC with this setting disabled. + hash.Write(MACOnlyEncryptedInitialization) + } walk := func(branch TreeBranch) error { _, err := branch.walkBranch(branch, make([]string, 0), func(in interface{}, path []string) (interface{}, error) { encrypted := true @@ -448,13 +470,15 @@ func (tree Tree) Decrypt(key []byte, cipher Cipher) (string, error) { } else { v = in } - // Only add to MAC if not a comment - if _, ok := v.(Comment); !ok { - bytes, err := ToBytes(v) - if err != nil { - return nil, fmt.Errorf("Could not convert %s to bytes: %s", in, err) + if !tree.Metadata.MACOnlyEncrypted || encrypted { + // Only add to MAC if not a comment + if _, ok := v.(Comment); !ok { + bytes, err := ToBytes(v) + if err != nil { + return nil, fmt.Errorf("Could not convert %s to bytes: %s", in, err) + } + hash.Write(bytes) } - hash.Write(bytes) } return v, nil }) @@ -497,6 +521,7 @@ type Metadata struct { UnencryptedRegex string EncryptedRegex string MessageAuthenticationCode string + MACOnlyEncrypted bool Version string KeyGroups []KeyGroup // ShamirThreshold is the number of key groups required to recover the diff --git a/sops_test.go b/sops_test.go index 549de80bf..56a1c3da4 100644 --- a/sops_test.go +++ b/sops_test.go @@ -242,6 +242,90 @@ func TestUnencryptedRegex(t *testing.T) { } } +func TestMACOnlyEncrypted(t *testing.T) { + branches := TreeBranches{ + TreeBranch{ + TreeItem{ + Key: "foo_encrypted", + Value: "bar", + }, + TreeItem{ + Key: "bar", + Value: TreeBranch{ + TreeItem{ + Key: "foo", + Value: "bar", + }, + }, + }, + }, + } + tree := Tree{Branches: branches, Metadata: Metadata{EncryptedSuffix: "_encrypted", MACOnlyEncrypted: true}} + onlyEncrypted := TreeBranches{ + TreeBranch{ + TreeItem{ + Key: "foo_encrypted", + Value: "bar", + }, + }, + } + treeOnlyEncrypted := Tree{Branches: onlyEncrypted, Metadata: Metadata{EncryptedSuffix: "_encrypted", MACOnlyEncrypted: true}} + cipher := reverseCipher{} + mac, err := tree.Encrypt(bytes.Repeat([]byte("f"), 32), cipher) + if err != nil { + t.Errorf("Encrypting the tree failed: %s", err) + } + macOnlyEncrypted, err := treeOnlyEncrypted.Encrypt(bytes.Repeat([]byte("f"), 32), cipher) + if err != nil { + t.Errorf("Encrypting the treeOnlyEncrypted failed: %s", err) + } + if mac != macOnlyEncrypted { + t.Errorf("MACs don't match:\ngot \t\t%+v,\nexpected \t\t%+v", mac, macOnlyEncrypted) + } +} + +func TestMACOnlyEncryptedNoConfusion(t *testing.T) { + branches := TreeBranches{ + TreeBranch{ + TreeItem{ + Key: "foo_encrypted", + Value: "bar", + }, + TreeItem{ + Key: "bar", + Value: TreeBranch{ + TreeItem{ + Key: "foo", + Value: "bar", + }, + }, + }, + }, + } + tree := Tree{Branches: branches, Metadata: Metadata{EncryptedSuffix: "_encrypted", MACOnlyEncrypted: true}} + onlyEncrypted := TreeBranches{ + TreeBranch{ + TreeItem{ + Key: "foo_encrypted", + Value: "bar", + }, + }, + } + treeOnlyEncrypted := Tree{Branches: onlyEncrypted, Metadata: Metadata{EncryptedSuffix: "_encrypted"}} + cipher := reverseCipher{} + mac, err := tree.Encrypt(bytes.Repeat([]byte("f"), 32), cipher) + if err != nil { + t.Errorf("Encrypting the tree failed: %s", err) + } + macOnlyEncrypted, err := treeOnlyEncrypted.Encrypt(bytes.Repeat([]byte("f"), 32), cipher) + if err != nil { + t.Errorf("Encrypting the treeOnlyEncrypted failed: %s", err) + } + if mac == macOnlyEncrypted { + t.Errorf("MACs match but they should not") + } +} + type MockCipher struct{} func (m MockCipher) Encrypt(value interface{}, key []byte, path string) (string, error) { diff --git a/stores/stores.go b/stores/stores.go index 420c115c7..e4b17289d 100644 --- a/stores/stores.go +++ b/stores/stores.go @@ -51,6 +51,7 @@ type Metadata struct { EncryptedSuffix string `yaml:"encrypted_suffix,omitempty" json:"encrypted_suffix,omitempty"` UnencryptedRegex string `yaml:"unencrypted_regex,omitempty" json:"unencrypted_regex,omitempty"` EncryptedRegex string `yaml:"encrypted_regex,omitempty" json:"encrypted_regex,omitempty"` + MACOnlyEncrypted bool `yaml:"mac_only_encrypted,omitempty" json:"mac_only_encrypted,omitempty"` Version string `yaml:"version" json:"version"` } @@ -114,6 +115,7 @@ func MetadataFromInternal(sopsMetadata sops.Metadata) Metadata { m.UnencryptedRegex = sopsMetadata.UnencryptedRegex m.EncryptedRegex = sopsMetadata.EncryptedRegex m.MessageAuthenticationCode = sopsMetadata.MessageAuthenticationCode + m.MACOnlyEncrypted = sopsMetadata.MACOnlyEncrypted m.Version = sopsMetadata.Version m.ShamirThreshold = sopsMetadata.ShamirThreshold if len(sopsMetadata.KeyGroups) == 1 { @@ -270,6 +272,7 @@ func (m *Metadata) ToInternal() (sops.Metadata, error) { EncryptedSuffix: m.EncryptedSuffix, UnencryptedRegex: m.UnencryptedRegex, EncryptedRegex: m.EncryptedRegex, + MACOnlyEncrypted: m.MACOnlyEncrypted, LastModified: lastModified, }, nil } From 00a027287963f68fb2fa838fdc3a3d1b97df6966 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Nov 2023 09:40:51 +0000 Subject: [PATCH 132/135] build(deps): Bump the ci group with 1 update Bumps the ci group with 1 update: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer). - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/11086d25041f77fe8fe7b9ea4e48e3b9192b8f19...1fc5bd396d372bee37d608f955b336615edf79c8) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci ... Signed-off-by: dependabot[bot] --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0c39f8393..455a81d49 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -39,7 +39,7 @@ jobs: uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 - name: Setup Cosign - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 + uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 - name: Setup QEMU uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 From 43d0674d6d0e1f60e5cf67997cbd9558c2d9cdc1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Nov 2023 15:06:07 +0000 Subject: [PATCH 133/135] build(deps): Bump the go group with 7 updates Bumps the go group with 7 updates: | Package | From | To | | --- | --- | --- | | [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go) | `1.34.1` | `1.35.1` | | [github.com/Azure/azure-sdk-for-go/sdk/azcore](https://github.com/Azure/azure-sdk-for-go) | `1.8.0` | `1.9.0` | | [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2) | `1.22.1` | `1.22.2` | | [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) | `1.22.0` | `1.23.0` | | [github.com/aws/aws-sdk-go-v2/feature/s3/manager](https://github.com/aws/aws-sdk-go-v2) | `1.13.1` | `1.13.5` | | [github.com/aws/aws-sdk-go-v2/service/kms](https://github.com/aws/aws-sdk-go-v2) | `1.26.0` | `1.26.1` | | [golang.org/x/net](https://github.com/golang/net) | `0.17.0` | `0.18.0` | Updates `cloud.google.com/go/storage` from 1.34.1 to 1.35.1 - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.34.1...storage/v1.35.1) Updates `github.com/Azure/azure-sdk-for-go/sdk/azcore` from 1.8.0 to 1.9.0 - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md) - [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azcore/v1.8.0...sdk/azcore/v1.9.0) Updates `github.com/aws/aws-sdk-go-v2` from 1.22.1 to 1.22.2 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.22.1...v1.22.2) Updates `github.com/aws/aws-sdk-go-v2/config` from 1.22.0 to 1.23.0 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.22.0...config/v1.23.0) Updates `github.com/aws/aws-sdk-go-v2/feature/s3/manager` from 1.13.1 to 1.13.5 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/service/mq/v1.13.5/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.13.1...service/mq/v1.13.5) Updates `github.com/aws/aws-sdk-go-v2/service/kms` from 1.26.0 to 1.26.1 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.26.0...service/s3/v1.26.1) Updates `golang.org/x/net` from 0.17.0 to 0.18.0 - [Commits](https://github.com/golang/net/compare/v0.17.0...v0.18.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/storage dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azcore dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/feature/s3/manager dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/service/kms dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: golang.org/x/net dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go ... Signed-off-by: dependabot[bot] --- go.mod | 56 ++++++++++++++--------------- go.sum | 112 ++++++++++++++++++++++++++++----------------------------- 2 files changed, 84 insertions(+), 84 deletions(-) diff --git a/go.mod b/go.mod index 2b7a92f57..64af96390 100644 --- a/go.mod +++ b/go.mod @@ -4,19 +4,19 @@ go 1.19 require ( cloud.google.com/go/kms v1.15.5 - cloud.google.com/go/storage v1.34.1 + cloud.google.com/go/storage v1.35.1 filippo.io/age v1.1.1 - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0 + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1 github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c - github.com/aws/aws-sdk-go-v2 v1.22.1 - github.com/aws/aws-sdk-go-v2/config v1.22.0 - github.com/aws/aws-sdk-go-v2/credentials v1.15.1 - github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.13.1 - github.com/aws/aws-sdk-go-v2/service/kms v1.26.0 - github.com/aws/aws-sdk-go-v2/service/s3 v1.42.0 - github.com/aws/aws-sdk-go-v2/service/sts v1.25.0 + github.com/aws/aws-sdk-go-v2 v1.22.2 + github.com/aws/aws-sdk-go-v2/config v1.23.0 + github.com/aws/aws-sdk-go-v2/credentials v1.15.2 + github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.13.5 + github.com/aws/aws-sdk-go-v2/service/kms v1.26.1 + github.com/aws/aws-sdk-go-v2/service/s3 v1.42.1 + github.com/aws/aws-sdk-go-v2/service/sts v1.25.1 github.com/blang/semver v3.5.1+incompatible github.com/fatih/color v1.16.0 github.com/getsops/gopgagent v0.0.0-20170926210634-4d7ea76ff71a @@ -34,11 +34,11 @@ require ( github.com/sirupsen/logrus v1.9.3 github.com/stretchr/testify v1.8.4 github.com/urfave/cli v1.22.14 - golang.org/x/net v0.17.0 + golang.org/x/net v0.18.0 golang.org/x/sys v0.14.0 - golang.org/x/term v0.13.0 - google.golang.org/api v0.149.0 - google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b + golang.org/x/term v0.14.0 + google.golang.org/api v0.150.0 + google.golang.org/genproto/googleapis/rpc v0.0.0-20231030173426-d783a09b4405 google.golang.org/grpc v1.59.0 google.golang.org/protobuf v1.31.0 gopkg.in/ini.v1 v1.67.0 @@ -50,24 +50,24 @@ require ( cloud.google.com/go/compute v1.23.1 // indirect cloud.google.com/go/compute/metadata v0.2.3 // indirect cloud.google.com/go/iam v1.1.3 // indirect - github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 // indirect github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect github.com/Microsoft/go-winio v0.6.0 // indirect github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.0 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.2 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.1 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.1 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.5.0 // indirect - github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.1 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.3 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.2 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.2 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.6.0 // indirect + github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.2 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.0 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.1 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.1 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.1 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.17.0 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.19.0 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.2 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.17.1 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.19.1 // indirect github.com/aws/smithy-go v1.16.0 // indirect github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/cenkalti/backoff/v4 v4.1.3 // indirect @@ -115,12 +115,12 @@ require ( github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect go.opencensus.io v0.24.0 // indirect - golang.org/x/crypto v0.14.0 // indirect + golang.org/x/crypto v0.15.0 // indirect golang.org/x/mod v0.9.0 // indirect golang.org/x/oauth2 v0.13.0 // indirect - golang.org/x/sync v0.4.0 // indirect - golang.org/x/text v0.13.0 // indirect - golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect + golang.org/x/sync v0.5.0 // indirect + golang.org/x/text v0.14.0 // indirect + golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.7.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect google.golang.org/appengine v1.6.7 // indirect diff --git a/go.sum b/go.sum index 89eb1cb34..9b712d629 100644 --- a/go.sum +++ b/go.sum @@ -9,16 +9,16 @@ cloud.google.com/go/iam v1.1.3 h1:18tKG7DzydKWUnLjonWcJO6wjSCAtzh4GcRKlH/Hrzc= cloud.google.com/go/iam v1.1.3/go.mod h1:3khUlaBXfPKKe7huYgEpDn6FtgRyMEqbkvBxrQyY5SE= cloud.google.com/go/kms v1.15.5 h1:pj1sRfut2eRbD9pFRjNnPNg/CzJPuQAzUujMIM1vVeM= cloud.google.com/go/kms v1.15.5/go.mod h1:cU2H5jnp6G2TDpUGZyqTCoy1n16fbubHZjmVXSMtwDI= -cloud.google.com/go/storage v1.34.1 h1:H2Af2dU5J0PF7A5B+ECFIce+RqxVnrVilO+cu0TS3MI= -cloud.google.com/go/storage v1.34.1/go.mod h1:VN1ElqqvR9adg1k9xlkUJ55cMOP1/QjnNNuT5xQL6dY= +cloud.google.com/go/storage v1.35.1 h1:B59ahL//eDfx2IIKFBeT5Atm9wnNmj3+8xG/W4WB//w= +cloud.google.com/go/storage v1.35.1/go.mod h1:M6M/3V/D3KpzMTJyPOR/HU6n2Si5QdaXYEsng2xgOs8= filippo.io/age v1.1.1 h1:pIpO7l151hCnQ4BdyBujnGP2YlUo0uj6sAVNHGBvXHg= filippo.io/age v1.1.1/go.mod h1:l03SrzDUrBkdBx8+IILdnn2KZysqQdbEBUQ4p3sqEQE= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0 h1:9kDVnTz3vbfweTqAUmk/a/pH5pWFCHtvRpHYC0G/dcA= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0/go.mod h1:3Ug6Qzto9anB6mGlEdgYMDF5zHQ+wwhEaYR4s17PHMw= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.0 h1:fb8kj/Dh4CSwgsOzHeZY4Xh68cFVbzXx+ONXGMY//4w= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.0/go.mod h1:uReU2sSxZExRPBAg3qKzmAucSi51+SP1OhohieR821Q= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0 h1:BMAjVKJM0U/CYF27gA0ZMmXGkOcvfFtD0oHVZ1TIPRI= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0/go.mod h1:1fXstnBMas5kzG+S3q8UoJcmyU6nUeunJcMDHcRYHhs= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.0 h1:d81/ng9rET2YqdVkVwkb6EXeRrLJIwyGnJcAlAWKwhs= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.0/go.mod h1:s4kgfzA0covAXNicZHDMN58jExvcng2mC/DepXiF1EI= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1 h1:MyVTgWR8qd/Jw1Le0NZebGBUCLbtak3bJ3z1OlqZBpw= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1/go.mod h1:GpPjLhVR9dnUoJMyHWSPy71xY9/lcmpzIPZXmF0FCVY= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 h1:D3occbWoio4EBLkbkevetNMAVX197GkzbUMtqjGWn80= @@ -36,44 +36,44 @@ github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8 github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c h1:kMFnB0vCcX7IL/m9Y5LO+KQYv+t1CQOiFe6+SV2J7bE= github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= -github.com/aws/aws-sdk-go-v2 v1.22.1 h1:sjnni/AuoTXxHitsIdT0FwmqUuNUuHtufcVDErVFT9U= -github.com/aws/aws-sdk-go-v2 v1.22.1/go.mod h1:Kd0OJtkW3Q0M0lUWGszapWjEvrXDzRW+D21JNsroB+c= +github.com/aws/aws-sdk-go-v2 v1.22.2 h1:lV0U8fnhAnPz8YcdmZVV60+tr6CakHzqA6P8T46ExJI= +github.com/aws/aws-sdk-go-v2 v1.22.2/go.mod h1:Kd0OJtkW3Q0M0lUWGszapWjEvrXDzRW+D21JNsroB+c= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.0 h1:hHgLiIrTRtddC0AKcJr5s7i/hLgcpTt+q/FKxf1Zayk= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.0/go.mod h1:w4I/v3NOWgD+qvs1NPEwhd++1h3XPHFaVxasfY6HlYQ= -github.com/aws/aws-sdk-go-v2/config v1.22.0 h1:9Mm99OalzZRz0ab5fpodMoHBApHS6pqRNp3M9NmzvDg= -github.com/aws/aws-sdk-go-v2/config v1.22.0/go.mod h1:2eWgw5lps8fKI7LZVTrRTYP6HE6k/uEFUuTSHfXwqP0= -github.com/aws/aws-sdk-go-v2/credentials v1.15.1 h1:hmf6lAm9hk7uLCfapZn/jL05lm6Uwdbn1B0fgjyuf4M= -github.com/aws/aws-sdk-go-v2/credentials v1.15.1/go.mod h1:QTcHga3ZbQOneJuxmGBOCxiClxmp+TlvmjFexAnJ790= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.2 h1:gIeH4+o1MN/caGBWjoGQTUTIu94xD6fI5B2+TcwBf70= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.2/go.mod h1:wLyMIo/zPOhQhPXTddpfdkSleyigtFi8iMnC+2m/SK4= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.13.1 h1:ULswbgGNVrW8zEhkCNwrwXrs1mUvy2JTqWaCRsD2ZZw= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.13.1/go.mod h1:pAXgsDPk1rRwwfkz8/9ISO75vXEHqTGIgbLhGqqQ1GY= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.1 h1:fi1ga6WysOyYb5PAf3Exd6B5GiSNpnZim4h1rhlBqx0= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.1/go.mod h1:V5CY8wNurvPUibTi9mwqUqpiFZ5LnioKWIFUDtIzdI8= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.1 h1:ZpaV/j48RlPc4AmOZuPv22pJliXjXq8/reL63YzyFnw= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.1/go.mod h1:R8aXraabD2e3qv1csxM14/X9WF4wFMIY0kH4YEtYD5M= -github.com/aws/aws-sdk-go-v2/internal/ini v1.5.0 h1:DqOQvIfmGkXZUVJnl9VRk0AnxyS59tCtX9k1Pyss4Ak= -github.com/aws/aws-sdk-go-v2/internal/ini v1.5.0/go.mod h1:VV/Kbw9Mg1GWJOT9WK+oTL3cWZiXtapnNvDSRqTZLsg= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.1 h1:vzYLDkwTw4CY0vUk84MeSufRf8XIsC/GsoIFXD60sTg= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.1/go.mod h1:ToBFBnjeGR2ruMx8IWp/y7vSK3Irj5/oPwifruiqoOM= +github.com/aws/aws-sdk-go-v2/config v1.23.0 h1:kqzEfGGDIrRJpfJckgwuZfFTbU9NB1jZnRcaO9MpOqE= +github.com/aws/aws-sdk-go-v2/config v1.23.0/go.mod h1:p7wbxKXXjS1GGQOss7VXOazVMFF9bjUGq85/4wR/fSw= +github.com/aws/aws-sdk-go-v2/credentials v1.15.2 h1:rKH7khRMxPdD0u3dHecd0Q7NOVw3EUe7AqdkUOkiOGI= +github.com/aws/aws-sdk-go-v2/credentials v1.15.2/go.mod h1:tXM8wmaeAhfC7nZoCxb0FzM/aRaB1m1WQ7x0qlBLq80= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.3 h1:G5KawTAkyHH6WyKQCdHiW4h3PmAXNJpOgwKg3H7sDRE= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.3/go.mod h1:hugKmSFnZB+HgNI1sYGT14BUPZkO6alC/e0AWu+0IAQ= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.13.5 h1:P/xwilRdRLLg1PzfviDq0Zjb74weOoDCrh8J5lRCQAY= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.13.5/go.mod h1:9cLHf2IwX6Jyw0KjLVbXly/g6DmzExgUzB1w/AQPGQE= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.2 h1:AaQsr5vvGR7rmeSWBtTCcw16tT9r51mWijuCQhzLnq8= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.2/go.mod h1:o1IiRn7CWocIFTXJjGKJDOwxv1ibL53NpcvcqGWyRBA= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.2 h1:UZx8SXZ0YtzRiALzYAWcjb9Y9hZUR7MBKaBQ5ouOjPs= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.2/go.mod h1:ipuRpcSaklmxR6C39G187TpBAO132gUfleTGccUPs8c= +github.com/aws/aws-sdk-go-v2/internal/ini v1.6.0 h1:hwZB07/beLiCopuRKF0t+dEHmP39iN4YtDh3X5d3hrg= +github.com/aws/aws-sdk-go-v2/internal/ini v1.6.0/go.mod h1:rdAuXeHWhI/zkpYcO5n8WCpaIgY9MUxFyBsuqq3kjyA= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.2 h1:pyVrNAf7Hwz0u39dLKN5t+n0+K/3rMYKuiOoIum3AsU= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.2/go.mod h1:mydrfOb9uiOYCxuCPR8YHQNQyGQwUQ7gPMZGBKbH8NY= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.0 h1:CJxo7ZBbaIzmXfV3hjcx36n9V87gJsIUPJflwqEHl3Q= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.0/go.mod h1:yjVfjuY4nD1EW9i387Kau+I6V5cBA5YnC/mWNopjZrI= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.1 h1:15FUCJzAP9Y25nioTqTrGlZmhOtthaXBWlt4pS+d3Xo= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.1/go.mod h1:5655NW53Un6l7JzkI6AA3rZvf0m532cSnLThA1fVXcA= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.1 h1:2OXw3ppu1XsB6rqKEMV4tnecTjIY3PRV2U6IP6KPJQo= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.1/go.mod h1:FZB4AdakIqW/yERVdGJA6Z9jraax1beXfhBBnK2wwR8= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.1 h1:dnl0klXYX9EKpzZbWlH5LJL+YTcEZcJEMPFFr/rAHUQ= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.1/go.mod h1:Mfk/9Joso4tCQYzM4q4HRUIqwln8lnIIMB/OE8Zebdc= -github.com/aws/aws-sdk-go-v2/service/kms v1.26.0 h1:lz/ISKzLItwOZNwz0BQSkikD8l/TKMYPjihgDofXYR0= -github.com/aws/aws-sdk-go-v2/service/kms v1.26.0/go.mod h1:/Vo6A21xdlIYOsAbK+VgFzyG5gMsHk5n7bwco1kI4jg= -github.com/aws/aws-sdk-go-v2/service/s3 v1.42.0 h1:u0YoSrxjr3Lm+IqIlRAV+4YTFwkXjyB9db9CfUFge2w= -github.com/aws/aws-sdk-go-v2/service/s3 v1.42.0/go.mod h1:98EIdRu+BNsdqITsXfy+57TZfwlUQC9aDn9a9qoo90U= -github.com/aws/aws-sdk-go-v2/service/sso v1.17.0 h1:I/Oh3IxGPfHXiGnwM54TD6hNr/8TlUrBXAtTyGhR+zw= -github.com/aws/aws-sdk-go-v2/service/sso v1.17.0/go.mod h1:H6NCMvDBqA+CvIaXzaSqM6LWtzv9BzZrqBOqz+PzRF8= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.19.0 h1:irbXQkfVYIRaewYSXcu4yVk0m2T+JzZd0dkop7FjmO0= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.19.0/go.mod h1:4wPNCkM22+oRe71oydP66K50ojDUC33XutSMi2pEF/M= -github.com/aws/aws-sdk-go-v2/service/sts v1.25.0 h1:sYIFy8tm1xQwRvVQ4CRuBGXKIg9sHNuG6+3UAQuoujk= -github.com/aws/aws-sdk-go-v2/service/sts v1.25.0/go.mod h1:S/LOQUeYDfJeJpFCIJDMjy7dwL4aA33HUdVi+i7uH8k= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.2 h1:f2LhPofnjcdOQKRtumKjMvIHkfSQ8aH/rwKUDEQ/SB4= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.2/go.mod h1:q+xX0H4OfuWDuBy7y/LDi4v8IBOWuF+vtp8Z6ex+lw4= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.2 h1:h7j73yuAVVjic8pqswh+L/7r2IHP43QwRyOu6zcCDDE= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.2/go.mod h1:H07AHdK5LSy8F7EJUQhoxyiCNkePoHj2D8P2yGTWafo= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.2 h1:gbIaOzpXixUpoPK+js/bCBK1QBDXM22SigsnzGZio0U= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.2/go.mod h1:p+S7RNbdGN8qgHDSg2SCQJ9FeMAmvcETQiVpeGhYnNM= +github.com/aws/aws-sdk-go-v2/service/kms v1.26.1 h1:YSWNecoEY4Wctdw29aY91T7a6pl1fe7LNceYBqfhCtc= +github.com/aws/aws-sdk-go-v2/service/kms v1.26.1/go.mod h1:kU7as8hswMlxu1rDRWIFn56U1X432hFb9jbEyNUaq5Q= +github.com/aws/aws-sdk-go-v2/service/s3 v1.42.1 h1:o6MCcX1rJW8Y3g+hvg2xpjF6JR6DftuYhfl3Nc1WV9Q= +github.com/aws/aws-sdk-go-v2/service/s3 v1.42.1/go.mod h1:UDtxEWbREX6y4KREapT+jjtjoH0TiVSS6f5nfaY1UaM= +github.com/aws/aws-sdk-go-v2/service/sso v1.17.1 h1:km+ZNjtLtpXYf42RdaDZnNHm9s7SYAuDGTafy6nd89A= +github.com/aws/aws-sdk-go-v2/service/sso v1.17.1/go.mod h1:aHBr3pvBSD5MbzOvQtYutyPLLRPbl/y9x86XyJJnUXQ= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.19.1 h1:iRFNqZH4a67IqPvK8xxtyQYnyrlsvwmpHOe9r55ggBA= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.19.1/go.mod h1:pTy5WM+6sNv2tB24JNKFtn6EvciQ5k40ZJ0pq/Iaxj0= +github.com/aws/aws-sdk-go-v2/service/sts v1.25.1 h1:txgVXIXWPXyqdiVn92BV6a/rgtpX31HYdsOYj0sVQQQ= +github.com/aws/aws-sdk-go-v2/service/sts v1.25.1/go.mod h1:VAiJiNaoP1L89STFlEMgmHX1bKixY+FaP+TpRFrmyZ4= github.com/aws/smithy-go v1.16.0 h1:gJZEH/Fqh+RsvlJ1Zt4tVAtV6bKkp3cC+R6FCZMNzik= github.com/aws/smithy-go v1.16.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= @@ -314,8 +314,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= -golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= -golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA= +golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= @@ -342,8 +342,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= -golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= -golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg= +golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY= golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0= @@ -354,8 +354,8 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ= -golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE= +golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -392,8 +392,8 @@ golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuX golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= -golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= -golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/term v0.14.0 h1:LGK9IlZ8T9jvdy6cTdfKUCltatMFOehAQo9SRC46UQ8= +golang.org/x/term v0.14.0/go.mod h1:TySc+nGkYR6qt8km8wUhuFRTVSMIX3XPR58y2lC8vww= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -401,10 +401,10 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= -golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -golang.org/x/time v0.0.0-20220609170525-579cf78fd858 h1:Dpdu/EMxGMFgq0CeYMh4fazTD2vtlZRYE7wyynxJb9U= -golang.org/x/time v0.0.0-20220609170525-579cf78fd858/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= +golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= @@ -424,8 +424,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -google.golang.org/api v0.149.0 h1:b2CqT6kG+zqJIVKRQ3ELJVLN1PwHZ6DJ3dW8yl82rgY= -google.golang.org/api v0.149.0/go.mod h1:Mwn1B7JTXrzXtnvmzQE2BD6bYZQ8DShKZDZbeN9I7qI= +google.golang.org/api v0.150.0 h1:Z9k22qD289SZ8gCJrk4DrWXkNjtfvKAUo/l1ma8eBYE= +google.golang.org/api v0.150.0/go.mod h1:ccy+MJ6nrYFgE3WgRx/AMXOxOmU8Q4hSa+jjibzhxcg= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= @@ -437,8 +437,8 @@ google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b h1:+YaDE2r2OG8t/z5 google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:CgAqfJo+Xmu0GwA0411Ht3OU3OntXwsGmrmjI8ioGXI= google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b h1:CIC2YMXmIhYw6evmhPxBKJ4fmLbOFtXQN/GV3XOZR8k= google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:IBQ646DjkDkvUIsVq/cc03FUFQ9wbZu7yE396YcL870= -google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b h1:ZlWIi1wSK56/8hn4QcBp/j9M7Gt3U/3hZw3mC7vDICo= -google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:swOH3j0KzcDDgGUWr+SNpyTen5YrXjS3eyPzFYKc6lc= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231030173426-d783a09b4405 h1:AB/lmRny7e2pLhFEYIbl5qkDAUt2h0ZRO4wGPhZf+ik= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231030173426-d783a09b4405/go.mod h1:67X1fPuzjcrkymZzZV1vvkFeTn2Rvc6lYF9MYFGCcwE= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= From 8b04fd763818e0d9e83c036fa0480b6cb914de14 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Mon, 13 Nov 2023 21:00:31 +0100 Subject: [PATCH 134/135] Correctly tag code as yaml-stream Signed-off-by: Felix Fontein --- README.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.rst b/README.rst index e1b206193..d7a4e80fd 100644 --- a/README.rst +++ b/README.rst @@ -1193,7 +1193,7 @@ YAML Streams formats like ``JSON`` do not. SOPS is able to handle both. This means the following multi-document will be encrypted as expected: -.. code:: yaml +.. code:: yaml-stream --- data: foo From 3f7b7ff98706a0b8cf4ca849c86dbff5f95bfb11 Mon Sep 17 00:00:00 2001 From: kaedwen Date: Wed, 15 Nov 2023 18:54:57 +0100 Subject: [PATCH 135/135] use defined codes --- cmd/sops/codes/codes.go | 1 + sops.go | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/cmd/sops/codes/codes.go b/cmd/sops/codes/codes.go index 7aea67e80..ecf45f6c1 100644 --- a/cmd/sops/codes/codes.go +++ b/cmd/sops/codes/codes.go @@ -19,6 +19,7 @@ const ( MacMismatch int = 51 MacNotFound int = 52 ConfigFileNotFound int = 61 + NoMetadataFound int = 70 KeyboardInterrupt int = 85 InvalidTreePathFormat int = 91 NeedAtLeastOneDocument int = 92 diff --git a/sops.go b/sops.go index c5c0cce1a..7285ad119 100644 --- a/sops.go +++ b/sops.go @@ -47,6 +47,7 @@ import ( "time" "github.com/getsops/sops/v3/audit" + "github.com/getsops/sops/v3/cmd/sops/codes" "github.com/getsops/sops/v3/keys" "github.com/getsops/sops/v3/keyservice" "github.com/getsops/sops/v3/logging" @@ -72,10 +73,10 @@ func (e SopsError) Error() string { } // MacMismatch occurs when the computed MAC does not match the expected ones -var MacMismatch = &SopsError{10, "MAC mismatch"} +var MacMismatch = &SopsError{codes.MacMismatch, "MAC mismatch"} // MetadataNotFound occurs when the input file is malformed and doesn't have sops metadata in it -var MetadataNotFound = &SopsError{11, "sops metadata not found"} +var MetadataNotFound = &SopsError{codes.NoMetadataFound, "sops metadata not found"} // MACOnlyEncryptedInitialization is a constant and known sequence of 32 bytes used to initialize // MAC which is computed only over values which end up encrypted. That assures that a MAC with the