-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsops.go
109 lines (89 loc) · 2.38 KB
/
sops.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
package sops
import (
"errors"
"fmt"
"github.com/jfxdev/sops-saas/keychain"
"github.com/jfxdev/sops-saas/keychain/entities"
"go.mozilla.org/sops/v3"
"go.mozilla.org/sops/v3/aes"
"go.mozilla.org/sops/v3/cmd/sops/common"
"go.mozilla.org/sops/v3/cmd/sops/formats"
"go.mozilla.org/sops/v3/decrypt"
"go.mozilla.org/sops/v3/keyservice"
"go.mozilla.org/sops/v3/version"
)
const (
formatYaml = "yaml"
formatJson = "json"
)
type Cypher interface {
Decrypt(content []byte, config string) ([]byte, error)
Encrypt(data []byte, config EncryptionConfig) ([]byte, error)
}
type cypher struct{}
func NewCypher() Cypher {
return &cypher{}
}
func (c *cypher) Decrypt(content []byte, format string) ([]byte, error) {
return decrypt.Data(content, format)
}
type EncryptionConfig struct {
Format string
Keys []entities.EncryptionKey
UnencryptedSuffix string
EncryptedSuffix string
UnencryptedRegex string
EncryptedRegex string
ShamirThreshold int
}
func (m *cypher) Encrypt(content []byte, config EncryptionConfig) (result []byte, err error) {
var store common.Store
switch config.Format {
case formatYaml:
store = common.StoreForFormat(formats.Yaml)
default:
store = common.StoreForFormat(formats.Json)
}
branches, err := store.LoadPlainFile(content)
if err != nil {
return
}
var groups []sops.KeyGroup
var keyGroup sops.KeyGroup
for _, k := range config.Keys {
gfunc, err := keychain.KeyGroup(k.Platform)
if err != nil {
return result, err
}
keyGroup = append(keyGroup, gfunc(k))
}
groups = append(groups, keyGroup)
tree := sops.Tree{
Branches: branches,
Metadata: sops.Metadata{
KeyGroups: groups,
UnencryptedSuffix: config.UnencryptedSuffix,
EncryptedSuffix: config.EncryptedSuffix,
UnencryptedRegex: config.UnencryptedRegex,
EncryptedRegex: config.EncryptedRegex,
Version: version.Version,
ShamirThreshold: config.ShamirThreshold,
},
}
dataKey, errs := tree.GenerateDataKeyWithKeyServices(
[]keyservice.KeyServiceClient{keyservice.NewLocalClient()},
)
if len(errs) > 0 {
return nil, errors.New(fmt.Sprint("Could not generate data key:", errs))
}
encryptTreeOpts := common.EncryptTreeOpts{
DataKey: dataKey,
Tree: &tree,
Cipher: aes.NewCipher(),
}
err = common.EncryptTree(encryptTreeOpts)
if err != nil {
return nil, err
}
return store.EmitEncryptedFile(tree)
}