Merge branch 'main' into allow-azure-keyvault-empty-version

Author: felixfontein

.github/workflows/cli.yml

@@ -29,7 +29,7 @@ jobs:
       VAULT_ADDR: "http://127.0.0.1:8200"
     steps:
       - name: Set up Go ${{ matrix.go-version }}
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version: ${{ matrix.go-version }}
         id: go

.github/workflows/codeql.yml

@@ -35,7 +35,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
+        uses: github/codeql-action/init@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.29.5
         with:
           languages: go
           # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
@@ -52,6 +52,6 @@ jobs:
           make install
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
+        uses: github/codeql-action/analyze@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.29.5
         with:
           category: "/language:go"

.github/workflows/release.yml

@@ -31,7 +31,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v4.0.1
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v4.0.1
         with:
           go-version: 1.24
           cache: false

audit/audit.go

@@ -14,7 +14,7 @@ import (
 
 	"github.com/getsops/sops/v3/logging"
 	"github.com/sirupsen/logrus"
-	"gopkg.in/yaml.v3"
+	"go.yaml.in/yaml/v3"
 )
 
 var log *logrus.Logger

config/config.go

@@ -19,7 +19,7 @@ import (
 	"github.com/getsops/sops/v3/kms"
 	"github.com/getsops/sops/v3/pgp"
 	"github.com/getsops/sops/v3/publish"
-	"gopkg.in/yaml.v3"
+	"go.yaml.in/yaml/v3"
 )
 
 type fileSystem interface {
@@ -508,7 +508,18 @@ func parseDestinationRuleForFile(conf *configFile, filePath string, kmsEncryptio
 	}
 
 	var dest publish.Destination
-	if dRule.S3Bucket != "" && dRule.GCSBucket != "" && dRule.VaultPath != "" {
+	destinationCount := 0
+	if dRule.S3Bucket != "" {
+		destinationCount++
+	}
+	if dRule.GCSBucket != "" {
+		destinationCount++
+	}
+	if dRule.VaultPath != "" {
+		destinationCount++
+	}
+
+	if destinationCount > 1 {
 		return nil, fmt.Errorf("error loading config: more than one destinations were found in a single destination rule, you can only use one per rule")
 	}
 	if dRule.S3Bucket != "" {

config/config_test.go

@@ -755,3 +755,127 @@ creation_rules:
 	assert.Equal(t, 1, keyTypeCounts["gcp_kms"])
 	assert.Equal(t, 1, keyTypeCounts["hc_vault"])
 }
+
+// Test configurations with multiple destinations should fail
+var sampleConfigWithS3GCSConflict = []byte(`
+destination_rules:
+  - path_regex: '^test/.*'
+    s3_bucket: 'my-s3-bucket'
+    s3_prefix: 'sops/'
+    gcs_bucket: 'my-gcs-bucket'
+    gcs_prefix: 'sops/'
+    recreation_rule:
+      kms: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+`)
+
+var sampleConfigWithS3VaultConflict = []byte(`
+destination_rules:
+  - path_regex: '^test/.*'
+    s3_bucket: 'my-s3-bucket'
+    s3_prefix: 'sops/'
+    vault_path: 'secret/sops'
+    vault_address: 'https://vault.example.com'
+    recreation_rule:
+      kms: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+`)
+
+var sampleConfigWithGCSVaultConflict = []byte(`
+destination_rules:
+  - path_regex: '^test/.*'
+    gcs_bucket: 'my-gcs-bucket'
+    gcs_prefix: 'sops/'
+    vault_path: 'secret/sops'
+    vault_address: 'https://vault.example.com'
+    recreation_rule:
+      kms: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+`)
+
+var sampleConfigWithAllThreeDestinations = []byte(`
+destination_rules:
+  - path_regex: '^test/.*'
+    s3_bucket: 'my-s3-bucket'
+    s3_prefix: 'sops/'
+    gcs_bucket: 'my-gcs-bucket'
+    gcs_prefix: 'sops/'
+    vault_path: 'secret/sops'
+    vault_address: 'https://vault.example.com'
+    recreation_rule:
+      kms: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+`)
+
+func TestDestinationValidationS3GCSConflict(t *testing.T) {
+	_, err := parseDestinationRuleForFile(parseConfigFile(sampleConfigWithS3GCSConflict, t), "test/secrets.yaml", nil)
+	assert.NotNil(t, err, "Expected error when both S3 and GCS destinations are specified")
+	if err != nil {
+		assert.Contains(t, err.Error(), "more than one destinations were found")
+	}
+}
+
+func TestDestinationValidationS3VaultConflict(t *testing.T) {
+	_, err := parseDestinationRuleForFile(parseConfigFile(sampleConfigWithS3VaultConflict, t), "test/secrets.yaml", nil)
+	assert.NotNil(t, err, "Expected error when both S3 and Vault destinations are specified")
+	if err != nil {
+		assert.Contains(t, err.Error(), "more than one destinations were found")
+	}
+}
+
+func TestDestinationValidationGCSVaultConflict(t *testing.T) {
+	_, err := parseDestinationRuleForFile(parseConfigFile(sampleConfigWithGCSVaultConflict, t), "test/secrets.yaml", nil)
+	assert.NotNil(t, err, "Expected error when both GCS and Vault destinations are specified")
+	if err != nil {
+		assert.Contains(t, err.Error(), "more than one destinations were found")
+	}
+}
+
+func TestDestinationValidationAllThreeDestinationsConflict(t *testing.T) {
+	_, err := parseDestinationRuleForFile(parseConfigFile(sampleConfigWithAllThreeDestinations, t), "test/secrets.yaml", nil)
+	assert.NotNil(t, err, "Expected error when all three destinations are specified")
+	if err != nil {
+		assert.Contains(t, err.Error(), "more than one destinations were found")
+	}
+}
+
+func TestDestinationValidationSingleS3Destination(t *testing.T) {
+	validS3Config := []byte(`
+destination_rules:
+  - path_regex: '^test/.*'
+    s3_bucket: 'my-s3-bucket'
+    s3_prefix: 'sops/'
+    recreation_rule:
+      kms: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+`)
+	conf, err := parseDestinationRuleForFile(parseConfigFile(validS3Config, t), "test/secrets.yaml", nil)
+	assert.Nil(t, err)
+	assert.NotNil(t, conf.Destination)
+	assert.Contains(t, conf.Destination.Path("secrets.yaml"), "s3://my-s3-bucket/sops/secrets.yaml")
+}
+
+func TestDestinationValidationSingleGCSDestination(t *testing.T) {
+	validGCSConfig := []byte(`
+destination_rules:
+  - path_regex: '^test/.*'
+    gcs_bucket: 'my-gcs-bucket'
+    gcs_prefix: 'sops/'
+    recreation_rule:
+      kms: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+`)
+	conf, err := parseDestinationRuleForFile(parseConfigFile(validGCSConfig, t), "test/secrets.yaml", nil)
+	assert.Nil(t, err)
+	assert.NotNil(t, conf.Destination)
+	assert.Contains(t, conf.Destination.Path("secrets.yaml"), "gcs://my-gcs-bucket/sops/secrets.yaml")
+}
+
+func TestDestinationValidationSingleVaultDestination(t *testing.T) {
+	validVaultConfig := []byte(`
+destination_rules:
+  - path_regex: '^test/.*'
+    vault_path: 'secret/sops'
+    vault_address: 'https://vault.example.com'
+    recreation_rule:
+      kms: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+`)
+	conf, err := parseDestinationRuleForFile(parseConfigFile(validVaultConfig, t), "test/secrets.yaml", nil)
+	assert.Nil(t, err)
+	assert.NotNil(t, conf.Destination)
+	assert.Contains(t, conf.Destination.Path("secrets.yaml"), "https://vault.example.com/v1/secret/data/secret/sops/secrets.yaml")
+}

functional-tests/src/lib.rs

@@ -265,6 +265,57 @@ bar: baz
         }
     }
 
+    #[test]
+    fn test_ini_values_as_strings() {
+        let file_path = prepare_temp_file(
+            "test_ini_values_as_strings.yaml",
+            b"the_section:
+  int: 123
+  float: 1.23
+  bool: true
+  date: 2025-01-02
+  timestamp: 2025-01-02 03:04:05
+  utc_timestamp: 2025-01-02T03:04:05Z
+  string: this is a string",
+        );
+        assert!(
+            Command::new(SOPS_BINARY_PATH)
+                .arg("encrypt")
+                .arg("-i")
+                .arg(file_path.clone())
+                .output()
+                .expect("Error running sops")
+                .status
+                .success(),
+            "sops didn't exit successfully"
+        );
+        let output = Command::new(SOPS_BINARY_PATH)
+            .arg("decrypt")
+            .arg("--output-type")
+            .arg("ini")
+            .arg(file_path.clone())
+            .output()
+            .expect("Error running sops");
+        println!(
+            "stdout: {}, stderr: {}",
+            String::from_utf8_lossy(&output.stdout),
+            String::from_utf8_lossy(&output.stderr)
+        );
+        assert!(output.status.success(), "sops didn't exit successfully");
+        let data = &String::from_utf8_lossy(&output.stdout);
+        assert!(
+            data == "[the_section]
+int           = 123
+float         = 1.23
+bool          = true
+date          = 2025-01-02T00:00:00Z
+timestamp     = 2025-01-02T03:04:05Z
+utc_timestamp = 2025-01-02T03:04:05Z
+string        = this is a string
+"
+        );
+    }
+
     #[test]
     fn encrypt_yaml_file() {
         let file_path = prepare_temp_file(

go.mod

@@ -33,6 +33,7 @@ require (
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.11.0
 	github.com/urfave/cli v1.22.17
+	go.yaml.in/yaml/v3 v3.0.4
 	golang.org/x/crypto v0.41.0
 	golang.org/x/net v0.43.0
 	golang.org/x/oauth2 v0.30.0
@@ -43,7 +44,6 @@ require (
 	google.golang.org/grpc v1.75.0
 	google.golang.org/protobuf v1.36.8
 	gopkg.in/ini.v1 v1.67.0
-	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
@@ -145,4 +145,5 @@ require (
 	golang.org/x/time v0.12.0 // indirect
 	google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -303,6 +303,8 @@ go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFh
 go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps=
 go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
 go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
+go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=

stores/ini/store.go

@@ -4,8 +4,6 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
-
-	"strconv"
 	"strings"
 
 	"github.com/getsops/sops/v3"
@@ -56,7 +54,7 @@ func (store Store) encodeTree(branches sops.TreeBranches) ([]byte, error) {
 						lastItem.Comment = comment.Value
 					}
 				} else {
-					lastItem, err = section.NewKey(keyVal.Key.(string), store.valToString(keyVal.Value))
+					lastItem, err = section.NewKey(keyVal.Key.(string), stores.ValToString(keyVal.Value))
 					if err != nil {
 						return nil, fmt.Errorf("Error encoding key: %s", err)
 					}
@@ -78,19 +76,6 @@ func (store Store) stripCommentChar(comment string) string {
 	return comment
 }
 
-func (store Store) valToString(v interface{}) string {
-	switch v := v.(type) {
-	case fmt.Stringer:
-		return v.String()
-	case float64:
-		return strconv.FormatFloat(v, 'f', 6, 64)
-	case bool:
-		return strconv.FormatBool(v)
-	default:
-		return fmt.Sprintf("%s", v)
-	}
-}
-
 func (store Store) iniFromTreeBranches(branches sops.TreeBranches) ([]byte, error) {
 	return store.encodeTree(branches)
 }