Skip to content

Add manage command #1109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dooferlad wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add manage command #1109

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1b6806c
Add manage command
dooferlad Aug 15, 2022
3fcbb3a
Only allow adding master keys in the key management command
dooferlad Aug 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 37 additions & 13 deletions cmd/sops/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -552,6 +552,10 @@ func main() {
Name: "rotate, r",
Usage: "generate a new data encryption key and reencrypt all values with the new key",
},
cli.BoolFlag{
Name: "manage, m",
Usage: "manage master keys without reencrypting all values with a new data key",
Copy link
Contributor

@felixfontein felixfontein Aug 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry that I didn't think about this earlier, but adding new master keys without cycling the data password also has potential security implications that can be dangerous. Think of a devops git repo where a file is readable by users A and B and contains some high-value secrets. At some point it is decided that parts of that file also need to be readable by C, so the things that should not be read by C are moved to another file, and then this command is used to give C access to this file.

Since the data key has not been cycled, C now has access to the data key and to the git history, allowing C to also read the parts that C was not supposed to be able to read.

This is probably why so far there's only rotate, which always rotates the data key.

Copy link
Author

@dooferlad dooferlad Aug 18, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is reasonable - do you think this could land with a big fat warning? In my case we wanted to add a second key so we had a backup key and there isn't a history problem. I really don't mind dropping this since I have already used it locally.

Copy link
Contributor

@felixfontein felixfontein Aug 18, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I personally think it is ok with a big fat warning, since there are cases (like the one you are describing) where this is really useful. But I'm just a random person making comments here, my opinion doesn't count that much ;) @ajvb what do you think?

},
cli.StringFlag{
Name: "kms, k",
Usage: "comma separated list of KMS ARNs",
Expand Down Expand Up @@ -719,7 +723,7 @@ func main() {
c.String("rm-kms") != "" || c.String("rm-pgp") != "" || c.String("rm-gcp-kms") != "" || c.String("rm-hc-vault-transit") != "" || c.String("rm-azure-kv") != "" || c.String("rm-age") != "" {
return common.NewExitError("Error: cannot add or remove keys on non-existent files, use `--kms` and `--pgp` instead.", codes.CannotChangeKeysFromNonExistentFile)
}
if c.Bool("encrypt") || c.Bool("decrypt") || c.Bool("rotate") {
if c.Bool("encrypt") || c.Bool("decrypt") || c.Bool("rotate") || c.Bool("manage") {
return common.NewExitError("Error: cannot operate on non-existent file", codes.NoFileSpecified)
}
}
Expand Down Expand Up @@ -818,7 +822,7 @@ func main() {
IgnoreMAC: c.Bool("ignore-mac"),
})
}
if c.Bool("rotate") {
if c.Bool("rotate") || c.Bool("manage") {
var addMasterKeys []keys.MasterKey
kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context"))
for _, k := range kms.MasterKeysFromArnString(c.String("add-kms"), kmsEncryptionContext, c.String("aws-profile")) {
Expand Down Expand Up @@ -884,16 +888,36 @@ func main() {
rmMasterKeys = append(rmMasterKeys, k)
}

output, err = rotate(rotateOpts{
OutputStore: outputStore,
InputStore: inputStore,
InputPath: fileName,
Cipher: aes.NewCipher(),
KeyServices: svcs,
IgnoreMAC: c.Bool("ignore-mac"),
AddMasterKeys: addMasterKeys,
RemoveMasterKeys: rmMasterKeys,
})
if c.Bool("rotate") {
output, err = rotate(rotateOpts{
OutputStore: outputStore,
InputStore: inputStore,
InputPath: fileName,
Cipher: aes.NewCipher(),
KeyServices: svcs,
IgnoreMAC: c.Bool("ignore-mac"),
AddMasterKeys: addMasterKeys,
RemoveMasterKeys: rmMasterKeys,
})
} else if c.Bool("manage") {
if len(rmMasterKeys) > 0 {
// Assume that when removing a master key, it isn't being securely stored, so shouldn't be trusted
return common.NewExitError(fmt.Errorf("you must rotate the data key when removing a master key"), codes.ErrorGeneric)
}

output, err = manage(manageOpts{
OutputStore: outputStore,
InputStore: inputStore,
InputPath: fileName,
Cipher: aes.NewCipher(),
KeyServices: svcs,
IgnoreMAC: c.Bool("ignore-mac"),
AddMasterKeys: addMasterKeys,
RemoveMasterKeys: rmMasterKeys,
})
} else {
return common.NewExitError(fmt.Errorf("unexpected command in branch"), codes.ErrorGeneric)
}
}

if c.String("set") != "" {
Expand All @@ -915,7 +939,7 @@ func main() {
})
}

isEditMode := !c.Bool("encrypt") && !c.Bool("decrypt") && !c.Bool("rotate") && c.String("set") == ""
isEditMode := !c.Bool("encrypt") && !c.Bool("decrypt") && !c.Bool("rotate") && c.String("set") == "" && !c.Bool("manage")
if isEditMode {
_, statErr := os.Stat(fileName)
fileExists := statErr == nil
Expand Down
79 changes: 79 additions & 0 deletions cmd/sops/manage.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
package main

import (
"fmt"

"go.mozilla.org/sops/v3"
"go.mozilla.org/sops/v3/audit"
"go.mozilla.org/sops/v3/cmd/sops/codes"
"go.mozilla.org/sops/v3/cmd/sops/common"
"go.mozilla.org/sops/v3/keys"
"go.mozilla.org/sops/v3/keyservice"
)

type manageOpts struct {
Cipher sops.Cipher
InputStore sops.Store
OutputStore sops.Store
InputPath string
IgnoreMAC bool
AddMasterKeys []keys.MasterKey
RemoveMasterKeys []keys.MasterKey
KeyServices []keyservice.KeyServiceClient
}

func manage(opts manageOpts) ([]byte, error) {
tree, err := common.LoadEncryptedFileWithBugFixes(common.GenericDecryptOpts{
Cipher: opts.Cipher,
InputStore: opts.InputStore,
InputPath: opts.InputPath,
IgnoreMAC: opts.IgnoreMAC,
KeyServices: opts.KeyServices,
})
if err != nil {
return nil, err
}

audit.SubmitEvent(audit.RotateEvent{
File: tree.FilePath,
})

dataKey, err := common.DecryptTree(common.DecryptTreeOpts{
Cipher: opts.Cipher, IgnoreMac: opts.IgnoreMAC, Tree: tree,
KeyServices: opts.KeyServices,
})
if err != nil {
return nil, err
}

// Add new master keys
for _, key := range opts.AddMasterKeys {
tree.Metadata.KeyGroups[0] = append(tree.Metadata.KeyGroups[0], key)
}
// Remove master keys
for _, rmKey := range opts.RemoveMasterKeys {
for i := range tree.Metadata.KeyGroups {
for j, groupKey := range tree.Metadata.KeyGroups[i] {
if rmKey.ToString() == groupKey.ToString() {
tree.Metadata.KeyGroups[i] = append(tree.Metadata.KeyGroups[i][:j], tree.Metadata.KeyGroups[i][j+1:]...)
}
}
}
}

tree.Metadata.UpdateMasterKeysWithKeyServices(dataKey, opts.KeyServices)

// Reencrypt the file with the same data key
err = common.EncryptTree(common.EncryptTreeOpts{
DataKey: dataKey, Tree: tree, Cipher: opts.Cipher,
})
if err != nil {
return nil, err
}

encryptedFile, err := opts.OutputStore.EmitEncryptedFile(*tree)
if err != nil {
return nil, common.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), codes.ErrorDumpingTree)
}
return encryptedFile, nil
}