Add Azure Key Vault publish destination

dmunch · dmunch · commit f1999b57d4c6 · 2023-07-05T12:18:22.000+02:00
diff --git a/cmd/sops/subcommand/publish/publish.go b/cmd/sops/subcommand/publish/publish.go
@@ -135,7 +135,7 @@ func Run(opts Opts) error {
 				return fmt.Errorf("could not read file: %s", err)
 			}
 		}
-	case *publish.VaultDestination:
+	case *publish.VaultDestination, *publish.AzureKeyVaultDestination:
 		_, err = common.DecryptTree(common.DecryptTreeOpts{
 			Cipher:      opts.Cipher,
 			IgnoreMac:   false,
@@ -174,7 +174,7 @@ func Run(opts Opts) error {
 	switch dest := conf.Destination.(type) {
 	case *publish.S3Destination, *publish.GCSDestination:
 		err = dest.Upload(fileContents, destinationPath)
-	case *publish.VaultDestination:
+	case *publish.VaultDestination, *publish.AzureKeyVaultDestination:
 		err = dest.UploadUnencrypted(data, destinationPath)
 	}
 
diff --git a/config/config.go b/config/config.go
@@ -96,17 +96,19 @@ type azureKVKey struct {
 }
 
 type destinationRule struct {
-	PathRegex        string       `yaml:"path_regex"`
-	S3Bucket         string       `yaml:"s3_bucket"`
-	S3Prefix         string       `yaml:"s3_prefix"`
-	GCSBucket        string       `yaml:"gcs_bucket"`
-	GCSPrefix        string       `yaml:"gcs_prefix"`
-	VaultPath        string       `yaml:"vault_path"`
-	VaultAddress     string       `yaml:"vault_address"`
-	VaultKVMountName string       `yaml:"vault_kv_mount_name"`
-	VaultKVVersion   int          `yaml:"vault_kv_version"`
-	RecreationRule   creationRule `yaml:"recreation_rule,omitempty"`
-	OmitExtensions   bool         `yaml:"omit_extensions"`
+	PathRegex          string       `yaml:"path_regex"`
+	S3Bucket           string       `yaml:"s3_bucket"`
+	S3Prefix           string       `yaml:"s3_prefix"`
+	GCSBucket          string       `yaml:"gcs_bucket"`
+	GCSPrefix          string       `yaml:"gcs_prefix"`
+	VaultPath          string       `yaml:"vault_path"`
+	VaultAddress       string       `yaml:"vault_address"`
+	VaultKVMountName   string       `yaml:"vault_kv_mount_name"`
+	VaultKVVersion     int          `yaml:"vault_kv_version"`
+	RecreationRule     creationRule `yaml:"recreation_rule,omitempty"`
+	OmitExtensions     bool         `yaml:"omit_extensions"`
+	AzureKeyVaultURL   string       `yaml:"azure_keyvault_url"`
+	AzurePublishSuffix string       `yaml:"azure_publish_suffix"`
 }
 
 type creationRule struct {
@@ -305,6 +307,9 @@ func parseDestinationRuleForFile(conf *configFile, filePath string, kmsEncryptio
 		if dRule.VaultPath != "" {
 			dest = publish.NewVaultDestination(dRule.VaultAddress, dRule.VaultPath, dRule.VaultKVMountName, dRule.VaultKVVersion)
 		}
+		if dRule.AzureKeyVaultURL != "" {
+			dest = publish.NewAzureKeyVaultDestination(dRule.AzureKeyVaultURL, dRule.AzurePublishSuffix)
+		}
 	}
 
 	config, err := configFromRule(rule, kmsEncryptionContext)
diff --git a/go.mod b/go.mod
@@ -9,6 +9,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.1
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0
+	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0
 	github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec
 	github.com/aws/aws-sdk-go-v2 v1.18.1
 	github.com/aws/aws-sdk-go-v2/config v1.18.27
@@ -35,7 +36,7 @@ require (
 	go.mozilla.org/gopgagent v0.0.0-20170926210634-4d7ea76ff71a
 	golang.org/x/crypto v0.10.0
 	golang.org/x/net v0.11.0
-	golang.org/x/sys v0.9.0
+	golang.org/x/sys v0.10.0
 	golang.org/x/term v0.9.0
 	google.golang.org/api v0.129.0
 	google.golang.org/genproto v0.0.0-20230629202037-9506855d4529
@@ -119,7 +120,7 @@ require (
 	go.opencensus.io v0.24.0 // indirect
 	golang.org/x/mod v0.9.0 // indirect
 	golang.org/x/oauth2 v0.9.0 // indirect
-	golang.org/x/text v0.10.0 // indirect
+	golang.org/x/text v0.11.0 // indirect
 	golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect
 	golang.org/x/tools v0.7.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
diff --git a/go.sum b/go.sum
@@ -22,6 +22,8 @@ github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInm
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM=
 github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 h1:m/sWOGCREuSBqg2htVQTBY8nOZpyajYztF0vUvSZTuM=
 github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0/go.mod h1:Pu5Zksi2KrU7LPbZbNINx6fuVrUp/ffvpxdDj+i8LeE=
+github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0 h1:xnO4sFyG8UH2fElBkcqLTOZsAajvKfnSlgBBW8dXYjw=
+github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0/go.mod h1:XD3DIOOVgBCO03OleB1fHjgktVRFxlT++KwKgIOewdM=
 github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 h1:FbH3BbSb4bvGluTesZZ+ttN/MDsnMmQP36OSnDuSXqw=
 github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1/go.mod h1:9V2j0jn9jDEkCkv8w/bKTNppX/d0FVA1ud77xCIP4KA=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8=
@@ -411,8 +413,8 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s=
-golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
@@ -429,8 +431,8 @@ golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.10.0 h1:UpjohKhiEgNc0CSauXmwYftY1+LlaC75SJwh0SgCX58=
-golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4=
+golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20220609170525-579cf78fd858 h1:Dpdu/EMxGMFgq0CeYMh4fazTD2vtlZRYE7wyynxJb9U=
 golang.org/x/time v0.0.0-20220609170525-579cf78fd858/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
diff --git a/publish/azkv.go b/publish/azkv.go
@@ -0,0 +1,73 @@
+package publish
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"go.mozilla.org/sops/v3/logging"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
+	"github.com/sirupsen/logrus"
+)
+
+var azkvLog *logrus.Logger
+
+func init() {
+	azkvLog = logging.NewLogger("AZKVPublish")
+}
+
+type AzureKeyVaultDestination struct {
+	azureKeyVaultURL string
+	publishSuffix    string
+}
+
+func NewAzureKeyVaultDestination(azureKeyVaultURL string, publishSuffix string) *AzureKeyVaultDestination {
+	return &AzureKeyVaultDestination{azureKeyVaultURL, publishSuffix}
+}
+
+func (azkvd *AzureKeyVaultDestination) Path(fileName string) string {
+	return fmt.Sprintf("%s", azkvd.azureKeyVaultURL)
+}
+
+// Returns NotImplementedError
+func (azkvd *AzureKeyVaultDestination) Upload(fileContents []byte, fileName string) error {
+	return &NotImplementedError{"Azure Key Vault does not support uploading encrypted sops files directly."}
+}
+
+func (azkvd *AzureKeyVaultDestination) UploadUnencrypted(data map[string]interface{}, fileName string) error {
+	credential, err := azidentity.NewDefaultAzureCredential(nil)
+	if err != nil {
+		log.Fatalf("failed to retrieve Azure credential %v", err)
+		return err
+	}
+
+	client, err := azsecrets.NewClient(azkvd.azureKeyVaultURL, credential, nil)
+	if err != nil {
+		log.Fatalf("failed to create azsecrets client %v", err)
+		return err
+	}
+
+	for secretName, secretElement := range data {
+
+		if !strings.HasSuffix(secretName, azkvd.publishSuffix) {
+			continue
+		}
+
+		secretValue := fmt.Sprintf("%v", secretElement)
+
+		sanitizedSecretName := strings.ReplaceAll(secretName, "_", "-")
+
+		azkvLog.Infof("Uploading Secret Name: %v, Sanitized: %v", secretName, sanitizedSecretName)
+
+		// Create a secret
+		params := azsecrets.SetSecretParameters{Value: &secretValue}
+		_, err = client.SetSecret(context.TODO(), sanitizedSecretName, params, nil)
+		if err != nil {
+			log.Fatalf("failed to create a secret %v: %v", secretName, err)
+		}
+	}
+
+	return nil
+}

Original file line number	Diff line number	Diff line change
`@@ -135,7 +135,7 @@ func Run(opts Opts) error {`
`135`	`135`	`return fmt.Errorf("could not read file: %s", err)`
`136`	`136`	`}`
`137`	`137`	`}`
`138`		`- case *publish.VaultDestination:`
	`138`	`+ case publish.VaultDestination, publish.AzureKeyVaultDestination:`
`139`	`139`	`_, err = common.DecryptTree(common.DecryptTreeOpts{`
`140`	`140`	`Cipher: opts.Cipher,`
`141`	`141`	`IgnoreMac: false,`
`@@ -174,7 +174,7 @@ func Run(opts Opts) error {`
`174`	`174`	`switch dest := conf.Destination.(type) {`
`175`	`175`	`case publish.S3Destination, publish.GCSDestination:`
`176`	`176`	`err = dest.Upload(fileContents, destinationPath)`
`177`		`- case *publish.VaultDestination:`
	`177`	`+ case publish.VaultDestination, publish.AzureKeyVaultDestination:`
`178`	`178`	`err = dest.UploadUnencrypted(data, destinationPath)`
`179`	`179`	`}`
`180`	`180`