// RemoveKMSMasterKeys takes a comma separated string of AWS KMS ARNs and removes the keys corresponding to those ARNs from the metadata's KeySources
func (m *Metadata) RemoveKMSMasterKeys(arns string) {
var keys []MasterKey
for _, k := range kms.MasterKeysFromArnString(arns) {
keys = append(keys, &k)
}
m.RemoveMasterKeys(keys)
}
// AddKMSMasterKeys parses the input comma separated string of AWS KMS ARNs, generates a KMS MasterKey for each ARN, and then adds the keys to the KMS KeySource
func (m *Metadata) AddKMSMasterKeys(kmsArns string) {
for i, ks := range m.KeySources {
if ks.Name == "kms" {
var keys []MasterKey
for _, k := range kms.MasterKeysFromArnString(kmsArns) {
keys = append(keys, &k)
}
ks.Keys = append(ks.Keys, keys...)
m.KeySources[i] = ks
}
}
}
func getKeySources(c *cli.Context, file string) ([]sops.KeySource, error) {
var kmsKeys []sops.MasterKey
var pgpKeys []sops.MasterKey
kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context"))
if c.String("encryption-context") != "" && kmsEncryptionContext == nil {
return nil, cli.NewExitError("Invalid KMS encryption context format", exitErrorInvalidKMSEncryptionContextFormat)
}
if c.String("kms") != "" {
for _, k := range kms.MasterKeysFromArnString(c.String("kms"), kmsEncryptionContext) {
kmsKeys = append(kmsKeys, k)
}
}
if c.String("pgp") != "" {
for _, k := range pgp.MasterKeysFromFingerprintString(c.String("pgp")) {
pgpKeys = append(pgpKeys, k)
}
}
var err error
if c.String("kms") == "" && c.String("pgp") == "" {
var confBytes []byte
if c.String("config") != "" {
confBytes, err = ioutil.ReadFile(c.String("config"))
if err != nil {
return nil, cli.NewExitError(fmt.Sprintf("Error loading config file: %s", err), exitErrorReadingConfig)
}
}
kmsString, pgpString, err := yaml.MasterKeyStringsForFile(file, confBytes)
if err == nil {
for _, k := range pgp.MasterKeysFromFingerprintString(pgpString) {
pgpKeys = append(pgpKeys, k)
}
for _, k := range kms.MasterKeysFromArnString(kmsString, kmsEncryptionContext) {
kmsKeys = append(kmsKeys, k)
}
}
}
kmsKs := sops.KeySource{Name: "kms", Keys: kmsKeys}
pgpKs := sops.KeySource{Name: "pgp", Keys: pgpKeys}
return []sops.KeySource{kmsKs, pgpKs}, nil
}
// AddKMSMasterKeys parses the input comma separated string of AWS KMS ARNs, generates a KMS MasterKey for each ARN, and then adds the keys to the KMS KeySource
func (m *Metadata) AddKMSMasterKeys(kmsArns string, context map[string]*string) {
for i, ks := range m.KeySources {
if ks.Name == "kms" {
var keys []MasterKey
for _, k := range kms.MasterKeysFromArnString(kmsArns, context) {
keys = append(keys, k)
fmt.Printf("Adding new KMS master key: %s\n", k.Arn)
}
ks.Keys = append(ks.Keys, keys...)
m.KeySources[i] = ks
}
}
}
func encrypt(c *cli.Context, file string, fileBytes []byte, output io.Writer) error {
store := store(file)
branch, err := store.Unmarshal(fileBytes)
if err != nil {
return cli.NewExitError(fmt.Sprintf("Error loading file: %s", err), exitCouldNotReadInputFile)
}
var metadata sops.Metadata
metadata.UnencryptedSuffix = c.String("unencrypted-suffix")
metadata.Version = "2.0.0"
var kmsKeys []sops.MasterKey
var pgpKeys []sops.MasterKey
if c.String("kms") != "" {
for _, k := range kms.MasterKeysFromArnString(c.String("kms")) {
kmsKeys = append(kmsKeys, &k)
}
}
if c.String("pgp") != "" {
for _, k := range pgp.MasterKeysFromFingerprintString(c.String("pgp")) {
pgpKeys = append(pgpKeys, &k)
}
}
if c.String("kms") == "" && c.String("pgp") == "" {
var confBytes []byte
if c.String("config") != "" {
confBytes, err = ioutil.ReadFile(c.String("config"))
if err != nil {
return cli.NewExitError(fmt.Sprintf("Error loading config file: %s", err), exitErrorReadingConfig)
}
}
kmsString, pgpString, err := yaml.MasterKeyStringsForFile(file, confBytes)
if err == nil {
for _, k := range pgp.MasterKeysFromFingerprintString(pgpString) {
pgpKeys = append(pgpKeys, &k)
}
for _, k := range kms.MasterKeysFromArnString(kmsString) {
kmsKeys = append(kmsKeys, &k)
}
}
}
kmsKs := sops.KeySource{Name: "kms", Keys: kmsKeys}
pgpKs := sops.KeySource{Name: "pgp", Keys: pgpKeys}
metadata.KeySources = append(metadata.KeySources, kmsKs)
metadata.KeySources = append(metadata.KeySources, pgpKs)
tree := sops.Tree{Branch: branch, Metadata: metadata}
key, err := tree.GenerateDataKey()
if err != nil {
return cli.NewExitError(err.Error(), exitCouldNotRetrieveKey)
}
cipher := aes.Cipher{}
mac, err := tree.Encrypt(key, cipher)
encryptedMac, err := cipher.Encrypt(mac, key, []byte(metadata.LastModified.Format(time.RFC3339)))
if err != nil {
return cli.NewExitError(fmt.Sprintf("Could not encrypt MAC: %s", err), exitErrorEncryptingTree)
}
metadata.MessageAuthenticationCode = encryptedMac
out, err := store.MarshalWithMetadata(tree.Branch, metadata)
_, err = output.Write([]byte(out))
if err != nil {
return cli.NewExitError(fmt.Sprintf("Could not write to output stream: %s", err), exitCouldNotWriteOutputFile)
}
return nil
}