Documentation
¶
Index ¶
- Constants
- func DecryptTree(opts DecryptTreeOpts) (dataKey []byte, err error)
- func DetectKMSEncryptionContextBug(tree *sops.Tree) (bool, error)
- func EncryptTree(opts EncryptTreeOpts) error
- func FixAWSKMSEncryptionContextBug(opts GenericDecryptOpts, tree *sops.Tree) (*sops.Tree, error)
- func GetKMSKeyWithEncryptionCtx(tree *sops.Tree) (keyGroupIndex int, keyIndex int, key *kms.MasterKey)
- func LoadEncryptedFile(loader sops.EncryptedFileLoader, inputPath string) (*sops.Tree, error)
- func LoadEncryptedFileWithBugFixes(opts GenericDecryptOpts) (*sops.Tree, error)
- func NewExitError(i interface{}, exitCode int) *cli.ExitError
- func PrettyPrintDiffs(diffs []Diff)
- func RecoverDataKeyFromBuggyKMS(opts GenericDecryptOpts, tree *sops.Tree) []byte
- type DecryptTreeOpts
- type Diff
- type EncryptTreeOpts
- type ExampleFileEmitter
- type GenericDecryptOpts
- type Store
Constants ¶
const KMS_ENC_CTX_BUG_FIXED_VERSION = "3.3.0"
KMS_ENC_CTX_BUG_FIXED_VERSION represents the SOPS version in which the encryption context bug was fixed
Variables ¶
This section is empty.
Functions ¶
func DecryptTree ¶
func DecryptTree(opts DecryptTreeOpts) (dataKey []byte, err error)
DecryptTree decrypts the tree passed in through the DecryptTreeOpts and additionally returns the decrypted data key
func DetectKMSEncryptionContextBug ¶
DetectKMSEncryptionContextBug returns true if the encryption context bug is detected in a given runtime sops.Tree object
func EncryptTree ¶
func EncryptTree(opts EncryptTreeOpts) error
EncryptTree encrypts the tree passed in through the EncryptTreeOpts
func FixAWSKMSEncryptionContextBug ¶
FixAWSKMSEncryptionContextBug is used to fix the issue described in https://github.com/mozilla/sops/pull/435
func GetKMSKeyWithEncryptionCtx ¶
func GetKMSKeyWithEncryptionCtx(tree *sops.Tree) (keyGroupIndex int, keyIndex int, key *kms.MasterKey)
GetKMSKeyWithEncryptionCtx returns the first KMS key affected by the encryption context bug as well as its location in the key groups.
func LoadEncryptedFile ¶
LoadEncryptedFile loads an encrypted SOPS file, returning a SOPS tree
func LoadEncryptedFileWithBugFixes ¶
func LoadEncryptedFileWithBugFixes(opts GenericDecryptOpts) (*sops.Tree, error)
LoadEncryptedFileWithBugFixes is a wrapper around LoadEncryptedFile which includes check for the issue described in https://github.com/mozilla/sops/pull/435
func NewExitError ¶
NewExitError returns a cli.ExitError given an error (wrapped in a generic interface{}) and an exit code to represent the failure
func PrettyPrintDiffs ¶
func PrettyPrintDiffs(diffs []Diff)
PrettyPrintDiffs prints a slice of Diff objects to stdout
func RecoverDataKeyFromBuggyKMS ¶
func RecoverDataKeyFromBuggyKMS(opts GenericDecryptOpts, tree *sops.Tree) []byte
RecoverDataKeyFromBuggyKMS loops through variations on Encryption Context to recover the datakey. This is used to fix the issue described in https://github.com/mozilla/sops/pull/435
Types ¶
type DecryptTreeOpts ¶
type DecryptTreeOpts struct {
// Tree is the tree to be decrypted
Tree *sops.Tree
// KeyServices are the key services to be used for decryption of the data key
KeyServices []keyservice.KeyServiceClient
// IgnoreMac is whether or not to ignore the Message Authentication Code included in the SOPS tree
IgnoreMac bool
// Cipher is the cryptographic cipher to use to decrypt the values inside the tree
Cipher sops.Cipher
}
DecryptTreeOpts are the options needed to decrypt a tree
type Diff ¶
Diff represents a key diff
func DiffKeyGroups ¶
DiffKeyGroups returns the list of diffs found in two sops.keyGroup slices
type EncryptTreeOpts ¶
type EncryptTreeOpts struct {
// Tree is the tree to be encrypted
Tree *sops.Tree
// Cipher is the cryptographic cipher to use to encrypt the values inside the tree
Cipher sops.Cipher
// DataKey is the key the cipher should use to encrypt the values inside the tree
DataKey []byte
}
EncryptTreeOpts are the options needed to encrypt a tree
type ExampleFileEmitter ¶
type ExampleFileEmitter interface {
EmitExample() []byte
}
ExampleFileEmitter emits example files. This is used by the `sops` binary whenever a new file is created, in order to present the user with a non-empty file
type GenericDecryptOpts ¶
type GenericDecryptOpts struct {
Cipher sops.Cipher
InputStore sops.Store
InputPath string
IgnoreMAC bool
KeyServices []keyservice.KeyServiceClient
}
GenericDecryptOpts represents decryption options and config
type Store ¶
type Store interface {
sops.Store
ExampleFileEmitter
}
Store handles marshaling and unmarshaling from SOPS files
func DefaultStoreForPath ¶
DefaultStoreForPath returns the correct format-specific implementation of the Store interface given the path to a file
func DefaultStoreForPathOrFormat ¶
DefaultStoreForPathOrFormat returns the correct format-specific implementation of the Store interface given the formatString if specified, or the path to a file. This is to support the cli, where both are provided.
func StoreForFormat ¶
func StoreForFormat(format Format) Store
StoreForFormat returns the correct format-specific implementation of the Store interface given the format.
Source Files