Merge branch 'main' into add-completion

Author: felixfontein

.github/workflows/codeql.yml

@@ -35,7 +35,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+        uses: github/codeql-action/init@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
         with:
           languages: go
           # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
@@ -52,6 +52,6 @@ jobs:
           make install
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+        uses: github/codeql-action/analyze@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
         with:
           category: "/language:go"

.github/workflows/release.yml

@@ -37,10 +37,10 @@ jobs:
           cache: false
 
       - name: Setup Syft
-        uses: anchore/sbom-action/download-syft@cee1b8e05ae5b2593a75e197229729eabaa9f8ec # v0.20.2
+        uses: anchore/sbom-action/download-syft@7b36ad622f042cab6f59a75c2ac24ccb256e9b45 # v0.20.4
 
       - name: Setup Cosign
-        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
 
       - name: Setup QEMU
         uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0

README.rst

@@ -225,16 +225,17 @@ configuration directory.
 
 - **Linux**
 
-  - Looks for `keys.txt` in `$XDG_CONFIG_HOME/sops/age/keys.txt`;
-  - Falls back to `$HOME/.config/sops/age/keys.txt` if `$XDG_CONFIG_HOME` isn’t set.
+  - Looks for ``keys.txt`` in ``$XDG_CONFIG_HOME/sops/age/keys.txt``;
+  - Falls back to ``$HOME/.config/sops/age/keys.txt`` if ``$XDG_CONFIG_HOME`` isn’t set.
 
 - **macOS**
 
-  - Looks for `keys.txt` in `$HOME/Library/Application Support/sops/age/keys.txt`.
+  - Looks for ``keys.txt`` in ``$XDG_CONFIG_HOME/sops/age/keys.txt``;
+  - Falls back to ``$HOME/Library/Application Support/sops/age/keys.txt``.
 
 - **Windows**
 
-  - Looks for `keys.txt` in `%AppData%\\sops\\age\\keys.txt`.
+  - Looks for ``keys.txt`` in `%AppData%\\sops\\age\\keys.txt``.
 
 You can override the default lookup by:
 
@@ -1476,7 +1477,7 @@ original file after encrypting or decrypting it.
 Encrypting binary files
 ~~~~~~~~~~~~~~~~~~~~~~~
 
-SOPS primary use case is encrypting YAML and JSON configuration files, but it
+SOPS primary use case is encrypting YAML, JSON, ENV, and INI configuration files, but it
 also has the ability to manage binary files. When encrypting a binary, SOPS will
 read the data as bytes, encrypt it, store the encrypted base64 under
 ``tree['data']`` and write the result as JSON.
@@ -1559,6 +1560,17 @@ The value must be formatted as json.
 
     $ sops set ~/git/svc/sops/example.yaml '["an_array"][1]' '{"uid1":null,"uid2":1000,"uid3":["bob"]}'
 
+You can also provide the value from a file or stdin:
+
+.. code:: sh
+
+    # Provide the value from a file
+    $ echo '{"uid1":null,"uid2":1000,"uid3":["bob"]}' > /tmp/example-value
+    $ sops set ~/git/svc/sops/example.yaml --value-file '["an_array"][1]' /tmp/example-value
+
+    # Provide the value from stdin
+    $ echo '{"uid1":null,"uid2":1000,"uid3":["bob"]}' | sops set ~/git/svc/sops/example.yaml --value-stdin '["an_array"][1]'
+
 Unset a sub-part in a document tree
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -1610,9 +1622,9 @@ git client interfaces, because they call git diff under the hood!
 Encrypting only parts of a file
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Note: this only works on YAML and JSON files, not on BINARY files.
+Note: this only works on YAML, JSON, ENV, and INI files, not on BINARY files.
 
-By default, SOPS encrypts all the values of a YAML or JSON file and leaves the
+By default, SOPS encrypts all the values of a YAML, JSON, ENV, or INI file and leaves the
 keys in cleartext. In some instances, you may want to exclude some values from
 being encrypted. This can be accomplished by adding the suffix **_unencrypted**
 to any key of a file. When set, all values underneath the key that set the
@@ -1823,9 +1835,9 @@ automation, we found this to be a hard problem with a number of prerequisites:
    git repo, jenkins and S3) and only be decrypted on the target
    systems
 
-SOPS can be used to encrypt YAML, JSON and BINARY files. In BINARY mode, the
+SOPS can be used to encrypt YAML, JSON, ENV, INI, and BINARY files. In BINARY mode, the
 content of the file is treated as a blob, the same way PGP would encrypt an
-entire file. In YAML and JSON modes, however, the content of the file is
+entire file. In YAML, JSON, ENV, and INI modes, however, the content of the file is
 manipulated as a tree where keys are stored in cleartext, and values are
 encrypted. hiera-eyaml does something similar, and over the years we learned
 to appreciate its benefits, namely:

age/keysource.go

@@ -94,6 +94,18 @@ func MasterKeysFromRecipients(commaSeparatedRecipients string) ([]*MasterKey, er
 	return keys, nil
 }
 
+// errSet is a collection of captured errors.
+type errSet []error
+
+// Error joins the errors into a "; " separated string.
+func (e errSet) Error() string {
+	str := make([]string, len(e))
+	for i, err := range e {
+		str[i] = err.Error()
+	}
+	return strings.Join(str, "; ")
+}
+
 // MasterKeyFromRecipient takes a Bech32-encoded age public key, parses it, and
 // returns a new MasterKey.
 func MasterKeyFromRecipient(recipient string) (*MasterKey, error) {
@@ -197,11 +209,13 @@ func (key *MasterKey) SetEncryptedDataKey(enc []byte) {
 // Decrypt decrypts the EncryptedKey with the parsed or loaded identities, and
 // returns the result.
 func (key *MasterKey) Decrypt() ([]byte, error) {
+	var errs errSet
 	if len(key.parsedIdentities) == 0 {
-		ids, err := key.loadIdentities()
-		if err != nil {
+		var ids ParsedIdentities
+		ids, errs = key.loadIdentities()
+		if len(ids) == 0 {
 			log.Info("Decryption failed")
-			return nil, fmt.Errorf("failed to load age identities: %w", err)
+			return nil, fmt.Errorf("failed to load age identities: %w", errs)
 		}
 		ids.ApplyToMasterKey(key)
 	}
@@ -211,7 +225,11 @@ func (key *MasterKey) Decrypt() ([]byte, error) {
 	r, err := age.Decrypt(ar, key.parsedIdentities...)
 	if err != nil {
 		log.Info("Decryption failed")
-		return nil, fmt.Errorf("failed to create reader for decrypting sops data key with age: %w", err)
+		var loadErrors string
+		if len(errs) > 0 {
+			loadErrors = fmt.Sprintf(". Errors while loading age identities: %s", errs.Error())
+		}
+		return nil, fmt.Errorf("failed to create reader for decrypting sops data key with age: %w%s", err, loadErrors)
 	}
 
 	var b bytes.Buffer
@@ -289,14 +307,15 @@ func getUserConfigDir() (string, error) {
 // environment configurations (e.g. SopsAgeKeyEnv, SopsAgeKeyFileEnv,
 // SopsAgeSshPrivateKeyFileEnv, SopsAgeKeyUserConfigPath). It will load all
 // found references, and expects at least one configuration to be present.
-func (key *MasterKey) loadIdentities() (ParsedIdentities, error) {
+func (key *MasterKey) loadIdentities() (ParsedIdentities, errSet) {
 	var identities ParsedIdentities
 
+	var errs errSet
+
 	sshIdentity, err := loadAgeSSHIdentity()
 	if err != nil {
-		return nil, fmt.Errorf("failed to get SSH identity: %w", err)
-	}
-	if sshIdentity != nil {
+		errs = append(errs, fmt.Errorf("failed to get SSH identity: %w", err))
+	} else if sshIdentity != nil {
 		identities = append(identities, sshIdentity)
 	}
 
@@ -309,39 +328,39 @@ func (key *MasterKey) loadIdentities() (ParsedIdentities, error) {
 	if ageKeyFile, ok := os.LookupEnv(SopsAgeKeyFileEnv); ok {
 		f, err := os.Open(ageKeyFile)
 		if err != nil {
-			return nil, fmt.Errorf("failed to open %s file: %w", SopsAgeKeyFileEnv, err)
+			errs = append(errs, fmt.Errorf("failed to open %s file: %w", SopsAgeKeyFileEnv, err))
+		} else {
+			defer f.Close()
+			readers[SopsAgeKeyFileEnv] = f
 		}
-		defer f.Close()
-		readers[SopsAgeKeyFileEnv] = f
 	}
 
 	if ageKeyCmd, ok := os.LookupEnv(SopsAgeKeyCmdEnv); ok {
 		args, err := shlex.Split(ageKeyCmd)
 		if err != nil {
-			return nil, fmt.Errorf("failed to parse command %s from %s: %w", ageKeyCmd, SopsAgeKeyCmdEnv, err)
+			errs = append(errs, fmt.Errorf("failed to parse command %s from %s: %w", ageKeyCmd, SopsAgeKeyCmdEnv, err))
+		} else {
+			out, err := exec.Command(args[0], args[1:]...).Output()
+			if err != nil {
+				errs = append(errs, fmt.Errorf("failed to execute command %s from %s: %w", ageKeyCmd, SopsAgeKeyCmdEnv, err))
+			} else {
+				readers[SopsAgeKeyCmdEnv] = bytes.NewReader(out)
+			}
 		}
-		out, err := exec.Command(args[0], args[1:]...).Output()
-		if err != nil {
-			return nil, fmt.Errorf("failed to execute command %s from %s: %w", ageKeyCmd, SopsAgeKeyCmdEnv, err)
-		}
-		readers[SopsAgeKeyCmdEnv] = bytes.NewReader(out)
 	}
 
 	userConfigDir, err := getUserConfigDir()
 	if err != nil && len(readers) == 0 && len(identities) == 0 {
-		return nil, fmt.Errorf("user config directory could not be determined: %w", err)
-	}
-	if userConfigDir != "" {
+		errs = append(errs, fmt.Errorf("user config directory could not be determined: %w", err))
+	} else if userConfigDir != "" {
 		ageKeyFilePath := filepath.Join(userConfigDir, filepath.FromSlash(SopsAgeKeyUserConfigPath))
 		f, err := os.Open(ageKeyFilePath)
 		if err != nil && !errors.Is(err, os.ErrNotExist) {
-			return nil, fmt.Errorf("failed to open file: %w", err)
-		}
-		if errors.Is(err, os.ErrNotExist) && len(readers) == 0 && len(identities) == 0 {
+			errs = append(errs, fmt.Errorf("failed to open file: %w", err))
+		} else if errors.Is(err, os.ErrNotExist) && len(readers) == 0 && len(identities) == 0 {
 			// If we have no other readers, presence of the file is required.
-			return nil, fmt.Errorf("failed to open file: %w", err)
-		}
-		if err == nil {
+			errs = append(errs, fmt.Errorf("failed to open file: %w", err))
+		} else if err == nil {
 			defer f.Close()
 			readers[ageKeyFilePath] = f
 		}
@@ -350,11 +369,12 @@ func (key *MasterKey) loadIdentities() (ParsedIdentities, error) {
 	for n, r := range readers {
 		ids, err := unwrapIdentities(n, r)
 		if err != nil {
-			return nil, err
+			errs = append(errs, err)
+		} else {
+			identities = append(identities, ids...)
 		}
-		identities = append(identities, ids...)
 	}
-	return identities, nil
+	return identities, errs
 }
 
 // parseRecipient attempts to parse a string containing an encoded age public

age/keysource_test.go

@@ -369,8 +369,8 @@ func TestMasterKey_loadIdentities(t *testing.T) {
 		t.Setenv(SopsAgeKeyEnv, mockIdentity)
 
 		key := &MasterKey{}
-		got, err := key.loadIdentities()
-		assert.NoError(t, err)
+		got, errs := key.loadIdentities()
+		assert.Len(t, errs, 0)
 		assert.Len(t, got, 1)
 	})
 
@@ -382,8 +382,8 @@ func TestMasterKey_loadIdentities(t *testing.T) {
 		t.Setenv(SopsAgeKeyEnv, mockIdentity+"\n"+mockOtherIdentity)
 
 		key := &MasterKey{}
-		got, err := key.loadIdentities()
-		assert.NoError(t, err)
+		got, errs := key.loadIdentities()
+		assert.Len(t, errs, 0)
 		assert.Len(t, got, 2)
 	})
 
@@ -398,8 +398,8 @@ func TestMasterKey_loadIdentities(t *testing.T) {
 		t.Setenv(SopsAgeKeyFileEnv, keyPath)
 
 		key := &MasterKey{}
-		got, err := key.loadIdentities()
-		assert.NoError(t, err)
+		got, errs := key.loadIdentities()
+		assert.Len(t, errs, 0)
 		assert.Len(t, got, 1)
 	})
 
@@ -416,8 +416,8 @@ func TestMasterKey_loadIdentities(t *testing.T) {
 		assert.NoError(t, os.MkdirAll(filepath.Dir(keyPath), 0o700))
 		assert.NoError(t, os.WriteFile(keyPath, []byte(mockIdentity), 0o644))
 
-		got, err := (&MasterKey{}).loadIdentities()
-		assert.NoError(t, err)
+		got, errs := (&MasterKey{}).loadIdentities()
+		assert.Len(t, errs, 0)
 		assert.Len(t, got, 1)
 	})
 
@@ -435,18 +435,19 @@ func TestMasterKey_loadIdentities(t *testing.T) {
 		t.Setenv(SopsAgeSshPrivateKeyFileEnv, keyPath)
 
 		key := &MasterKey{}
-		got, err := key.loadIdentities()
-		assert.NoError(t, err)
+		got, errs := key.loadIdentities()
+		assert.Len(t, errs, 0)
 		assert.Len(t, got, 1)
 	})
 
 	t.Run("no identity", func(t *testing.T) {
 		tmpDir := t.TempDir()
 		overwriteUserConfigDir(t, tmpDir)
 
-		got, err := (&MasterKey{}).loadIdentities()
-		assert.Error(t, err)
-		assert.ErrorContains(t, err, "failed to open file")
+		got, errs := (&MasterKey{}).loadIdentities()
+		assert.Len(t, errs, 1)
+		assert.Error(t, errs[0])
+		assert.ErrorContains(t, errs[0], "failed to open file")
 		assert.Nil(t, got)
 	})
 
@@ -467,8 +468,8 @@ func TestMasterKey_loadIdentities(t *testing.T) {
 		assert.NoError(t, os.WriteFile(keyPath2, []byte(mockOtherIdentity), 0o644))
 		t.Setenv(SopsAgeKeyFileEnv, keyPath2)
 
-		got, err := (&MasterKey{}).loadIdentities()
-		assert.NoError(t, err)
+		got, errs := (&MasterKey{}).loadIdentities()
+		assert.Len(t, errs, 0)
 		assert.Len(t, got, 2)
 	})
 
@@ -480,9 +481,10 @@ func TestMasterKey_loadIdentities(t *testing.T) {
 		t.Setenv(SopsAgeKeyEnv, "invalid")
 
 		key := &MasterKey{}
-		got, err := key.loadIdentities()
-		assert.Error(t, err)
-		assert.ErrorContains(t, err, fmt.Sprintf("failed to parse '%s' age identities", SopsAgeKeyEnv))
+		got, errs := key.loadIdentities()
+		assert.Len(t, errs, 1)
+		assert.Error(t, errs[0])
+		assert.ErrorContains(t, errs[0], fmt.Sprintf("failed to parse '%s' age identities", SopsAgeKeyEnv))
 		assert.Nil(t, got)
 	})
 
@@ -494,8 +496,8 @@ func TestMasterKey_loadIdentities(t *testing.T) {
 		t.Setenv(SopsAgeKeyCmdEnv, "echo '"+mockIdentity+"'")
 
 		key := &MasterKey{}
-		got, err := key.loadIdentities()
-		assert.NoError(t, err)
+		got, errs := key.loadIdentities()
+		assert.Len(t, errs, 0)
 		assert.Len(t, got, 1)
 	})
 
@@ -507,9 +509,10 @@ func TestMasterKey_loadIdentities(t *testing.T) {
 		t.Setenv(SopsAgeKeyCmdEnv, "meow")
 
 		key := &MasterKey{}
-		got, err := key.loadIdentities()
-		assert.Error(t, err)
-		assert.ErrorContains(t, err, "failed to execute command meow")
+		got, errs := key.loadIdentities()
+		assert.Len(t, errs, 2)
+		assert.Error(t, errs[0])
+		assert.ErrorContains(t, errs[0], "failed to execute command meow")
 		assert.Nil(t, got)
 	})
 }

cmd/sops/edit.go

@@ -109,6 +109,10 @@ func editTree(opts editOpts, tree *sops.Tree, dataKey []byte) ([]byte, error) {
 	}
 	// Ensure that in any case, the temporary file is always closed.
 	defer tmpfile.Close()
+	// Ensure that the file is read+write for owner only.
+	if err = tmpfile.Chmod(0600); err != nil {
+		return nil, common.NewExitError(fmt.Sprintf("Could not change permissions of temporary file to read-write for owner only: %s", err), codes.CouldNotWriteOutputFile)
+	}
 
 	tmpfileName := tmpfile.Name()