Add google cloud KMS support #245
Conversation
Codecov Report
@@ Coverage Diff @@
## master #245 +/- ##
==========================================
- Coverage 44.94% 43.76% -1.18%
==========================================
Files 6 7 +1
Lines 1048 1131 +83
==========================================
+ Hits 471 495 +24
- Misses 515 573 +58
- Partials 62 63 +1
Continue to review full report at Codecov.
|
cloudkms/keysource.go
Outdated
|
|
||
| // this needs to be a global var for unit tests to work (mockKMS redefines | ||
| // it in keysource_test.go) | ||
| // var kmsSvc kmsiface.KMSAPI |
There was a problem hiding this comment.
Leftover from copying from AWS KMS. This should probably have tests like the AWS KMS keysource does, so we'll probably need something like this for the GCP version.
cloudkms/keysource.go
Outdated
| return key.ResourceId | ||
| } | ||
|
|
||
| // NewMasterKeyFromResourceId takes an cloud KMS resource id string and returns a new MasterKey for that |
There was a problem hiding this comment.
s/an cloud KMS/a cloud KMS
cmd/sops/main.go
Outdated
| @@ -91,7 +92,7 @@ func main() { | |||
| cli.VersionPrinter = printVersion | |||
| app := cli.NewApp() | |||
| app.Name = "sops" | |||
| app.Usage = "sops - encrypted file editor with AWS KMS and GPG support" | |||
| app.Usage = "sops - encrypted file editor with AWS KMS, google cloud KMS and GPG support" | |||
There was a problem hiding this comment.
nit: Capitalize Google Cloud
cmd/sops/main.go
Outdated
| @@ -104,17 +105,23 @@ func main() { | |||
| in the -k flag or in the SOPS_KMS_ARN environment variable. | |||
| (you need valid credentials in ~/.aws/credentials or in your env) | |||
|
|
|||
| To encrypt or decrypt a document with google cloud KMS, specify the | |||
There was a problem hiding this comment.
nit: Capitalize Google Cloud
cmd/sops/main.go
Outdated
| @@ -104,17 +105,23 @@ func main() { | |||
| in the -k flag or in the SOPS_KMS_ARN environment variable. | |||
| (you need valid credentials in ~/.aws/credentials or in your env) | |||
|
|
|||
| To encrypt or decrypt a document with google cloud KMS, specify the | |||
| cloud KMS resource Id in the -c flag or in the SOPS_CLOUD_KMS_IDS | |||
cmd/sops/main.go
Outdated
| @@ -141,6 +148,11 @@ func main() { | |||
| EnvVar: "SOPS_KMS_ARN", | |||
| }, | |||
| cli.StringFlag{ | |||
| Name: "cloud-kms, c", | |||
| Usage: "comma separated list of google cloud KMS resource IDs", | |||
There was a problem hiding this comment.
nit: Capitalize Google Cloud
cmd/sops/main.go
Outdated
| @@ -104,17 +105,23 @@ func main() { | |||
| in the -k flag or in the SOPS_KMS_ARN environment variable. | |||
| (you need valid credentials in ~/.aws/credentials or in your env) | |||
|
|
|||
| To encrypt or decrypt a document with google cloud KMS, specify the | |||
| cloud KMS resource Id in the -c flag or in the SOPS_CLOUD_KMS_IDS | |||
There was a problem hiding this comment.
nit: s/Id/ID for consistency, as you write it as ID in the docs
sops.go
Outdated
| @@ -385,6 +386,21 @@ func (m *Metadata) AddPGPMasterKeys(pgpFps string) { | |||
| } | |||
| } | |||
|
|
|||
| // AddCloudKMSMasterKeys parses the input comma separated string of cloud KMS resource IDs, generates a KMS MasterKey for each resource ID, and then adds the keys to the cloud KMS KeySource | |||
cmd/sops/main.go
Outdated
| @@ -428,7 +454,8 @@ func getKeySources(c *cli.Context, file string) ([]sops.KeySource, error) { | |||
| } | |||
| kmsKs := sops.KeySource{Name: "kms", Keys: kmsKeys} | |||
| pgpKs := sops.KeySource{Name: "pgp", Keys: pgpKeys} | |||
| return []sops.KeySource{kmsKs, pgpKs}, nil | |||
| cloudKmsKs := sops.KeySource{Name: "cloud-kms", Keys: cloudKmsKeys} | |||
There was a problem hiding this comment.
I think we should use cloud_kms for the key source name, as we currently use snake_case for YAML keys (e.g. unencrypted_suffix).
|
First there was only one kms, then google introduced their kms and things became confusing. I think we need to name Google's kms |
|
I think @jvehent has a point. I'll rename everything to Naming things... :) |
|
We've just merged #238 which was a very big PR and has caused conflicts with this one. I'll perform the merge myself, you shouldn't worry about it. |
autrilla
force-pushed
the
gcloud-kms
branch
from
38243f7
to
bcf8ade
Compare
|
@calind I've performed the merge. I'd appreciate it if you could test this on your own workstation before we merge back to master. |
|
@autrilla It's broken after rebase but I'll have a look in the following days. |
There was a problem hiding this comment.
Thanks a lot for the patch. The code looks good. It needs some README additions to tell people how to make use of it.
I'm a bit terrified by the size of the vendoring commit here. It vendors everything from xmpp to bigtable, just to call the KMS api. Is there a way to just vendor what we need?
|
I forgot, but because of the key service this is also going to need a protobuf message for this key type, and handling for that message type will have to be added to the key service server. |
|
Thanks for the tip. I've managed to generate the protobuf stuff. I'll try finishing the PR this weekend. Regarding @jvehent comment, I've manually added the go dependencies using govend and specifically included only the kms API stuff. I'll try find a way to reduce it but I'm pretty new to golang and any tip would be helpful. |
|
We vendor using |
calind
force-pushed
the
gcloud-kms
branch
3 times, most recently
from
9b35f80
to
55271c1
Compare
|
@autrilla, @jvehent I've updated the PR to take the keyservice into account and I've also added some docs. Regarding the vendoring what I did was: I've tried manually removing some folders from |
cmd/sops/main.go
Outdated
| @@ -129,6 +129,10 @@ func main() { | |||
| Name: "kms", | |||
| Usage: "the KMS ARNs the new group should contain. Can be specified more than once", | |||
| }, | |||
| cli.StringSliceFlag{ | |||
| Name: "gcp-kms", | |||
| Usage: "the GCP KMS Resourece ID the new group should contain. Can be specified more than once", | |||
|
Fixed. |
|
I've tested the functionality locally with my own GCP KMS key and it seems to be working. |
|
🍾 |
Fixes #188.