New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add google cloud KMS support #245
Conversation
Codecov Report
@@ Coverage Diff @@
## master #245 +/- ##
==========================================
- Coverage 44.94% 43.76% -1.18%
==========================================
Files 6 7 +1
Lines 1048 1131 +83
==========================================
+ Hits 471 495 +24
- Misses 515 573 +58
- Partials 62 63 +1
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you very much for the PR. Looks good, I've left a few minor comments that need to be address before we can merge this.
cloudkms/keysource.go
Outdated
|
||
// this needs to be a global var for unit tests to work (mockKMS redefines | ||
// it in keysource_test.go) | ||
// var kmsSvc kmsiface.KMSAPI |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Leftover from copying from AWS KMS. This should probably have tests like the AWS KMS keysource does, so we'll probably need something like this for the GCP version.
cloudkms/keysource.go
Outdated
return key.ResourceId | ||
} | ||
|
||
// NewMasterKeyFromResourceId takes an cloud KMS resource id string and returns a new MasterKey for that |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/an cloud KMS/a cloud KMS
cmd/sops/main.go
Outdated
@@ -91,7 +92,7 @@ func main() { | |||
cli.VersionPrinter = printVersion | |||
app := cli.NewApp() | |||
app.Name = "sops" | |||
app.Usage = "sops - encrypted file editor with AWS KMS and GPG support" | |||
app.Usage = "sops - encrypted file editor with AWS KMS, google cloud KMS and GPG support" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Capitalize Google Cloud
cmd/sops/main.go
Outdated
@@ -104,17 +105,23 @@ func main() { | |||
in the -k flag or in the SOPS_KMS_ARN environment variable. | |||
(you need valid credentials in ~/.aws/credentials or in your env) | |||
|
|||
To encrypt or decrypt a document with google cloud KMS, specify the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Capitalize Google Cloud
cmd/sops/main.go
Outdated
@@ -104,17 +105,23 @@ func main() { | |||
in the -k flag or in the SOPS_KMS_ARN environment variable. | |||
(you need valid credentials in ~/.aws/credentials or in your env) | |||
|
|||
To encrypt or decrypt a document with google cloud KMS, specify the | |||
cloud KMS resource Id in the -c flag or in the SOPS_CLOUD_KMS_IDS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Capitalize Cloud
cmd/sops/main.go
Outdated
@@ -141,6 +148,11 @@ func main() { | |||
EnvVar: "SOPS_KMS_ARN", | |||
}, | |||
cli.StringFlag{ | |||
Name: "cloud-kms, c", | |||
Usage: "comma separated list of google cloud KMS resource IDs", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Capitalize Google Cloud
cmd/sops/main.go
Outdated
@@ -104,17 +105,23 @@ func main() { | |||
in the -k flag or in the SOPS_KMS_ARN environment variable. | |||
(you need valid credentials in ~/.aws/credentials or in your env) | |||
|
|||
To encrypt or decrypt a document with google cloud KMS, specify the | |||
cloud KMS resource Id in the -c flag or in the SOPS_CLOUD_KMS_IDS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: s/Id/ID for consistency, as you write it as ID in the docs
sops.go
Outdated
@@ -385,6 +386,21 @@ func (m *Metadata) AddPGPMasterKeys(pgpFps string) { | |||
} | |||
} | |||
|
|||
// AddCloudKMSMasterKeys parses the input comma separated string of cloud KMS resource IDs, generates a KMS MasterKey for each resource ID, and then adds the keys to the cloud KMS KeySource |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Capitalize Cloud
cmd/sops/main.go
Outdated
@@ -428,7 +454,8 @@ func getKeySources(c *cli.Context, file string) ([]sops.KeySource, error) { | |||
} | |||
kmsKs := sops.KeySource{Name: "kms", Keys: kmsKeys} | |||
pgpKs := sops.KeySource{Name: "pgp", Keys: pgpKeys} | |||
return []sops.KeySource{kmsKs, pgpKs}, nil | |||
cloudKmsKs := sops.KeySource{Name: "cloud-kms", Keys: cloudKmsKeys} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should use cloud_kms
for the key source name, as we currently use snake_case
for YAML keys (e.g. unencrypted_suffix
).
First there was only one kms, then google introduced their kms and things became confusing. I think we need to name Google's kms |
I think @jvehent has a point. I'll rename everything to Naming things... :) |
We've just merged #238 which was a very big PR and has caused conflicts with this one. I'll perform the merge myself, you shouldn't worry about it. |
38243f7
to
bcf8ade
Compare
@calind I've performed the merge. I'd appreciate it if you could test this on your own workstation before we merge back to master. |
@autrilla It's broken after rebase but I'll have a look in the following days. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot for the patch. The code looks good. It needs some README additions to tell people how to make use of it.
I'm a bit terrified by the size of the vendoring commit here. It vendors everything from xmpp to bigtable, just to call the KMS api. Is there a way to just vendor what we need?
I forgot, but because of the key service this is also going to need a protobuf message for this key type, and handling for that message type will have to be added to the key service server. |
Thanks for the tip. I've managed to generate the protobuf stuff. I'll try finishing the PR this weekend. Regarding @jvehent comment, I've manually added the go dependencies using govend and specifically included only the kms API stuff. I'll try find a way to reduce it but I'm pretty new to golang and any tip would be helpful. |
We vendor using |
9b35f80
to
55271c1
Compare
@autrilla, @jvehent I've updated the PR to take the keyservice into account and I've also added some docs. Regarding the vendoring what I did was:
I've tried manually removing some folders from |
cmd/sops/main.go
Outdated
@@ -129,6 +129,10 @@ func main() { | |||
Name: "kms", | |||
Usage: "the KMS ARNs the new group should contain. Can be specified more than once", | |||
}, | |||
cli.StringSliceFlag{ | |||
Name: "gcp-kms", | |||
Usage: "the GCP KMS Resourece ID the new group should contain. Can be specified more than once", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resource
Fixed. |
I've tested the functionality locally with my own GCP KMS key and it seems to be working. |
🍾 |
Fixes #188.