Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pull in 4 years of changes from upstream repo #1

Open
wants to merge 529 commits into
base: master
Choose a base branch
from

Conversation

mlazzaro-better
Copy link

Pull in all the new changes from the parent repo

ajvb and others added 30 commits August 30, 2019 13:44
Adds support for publishing to vault using KV v1 and a different mount
name (or multiple).
…s to a child process (#504)

* first pass: add --exec flag

* fix spacing

* subcommand for exec as well as other bits n bobs

--placeholder to pass files to child procs (similar to `find(1)`'s -exec flag)
--background to background processes if you don't need them to be interactive

* break the 2 execs into 2 subcommands

* add a non-fifo option for people who like files instead

* added a setuid flag just in case

* oups, used the wrong functions

* Update README.rst

* typo
* Changes to travis config and docs for using develop (#462)

* Fixes integration tests in travis to not run on PR's (they will now
run on merges into `develop` and `master`)
* Change README.rst and CONTRIBUTING.md to reflect the use of `develop`
as the primary development branch

* use golang 1.12 for building sops

* pgp/keysource: Check size of key fingerprint

Make sure the key fingerprint is longer than 16 characters before
slicing it.

Closes #463

* Allow set "json value" to be a string. (#468)

* Allow set "json value" to be a string.

Adds back support for string values in --set, while retaining support
for yaml multidoc that caused this bug.

Fixes #461

* Add functional test for --set'ing strings

* Vendoring update (#472)

It's been around 9 months since our last vendor update. This is also
needed for some new features being worked on for sops workspace.

Additionally, this PR regenerates the kms mocks.

* Remove duplicate sentence from readme (#475)

* 3.3.1 bump and release notes (#477)
Merge typo and release build fix for 3.4.0
…variables to a child process (#504)"

This reverts commit f103af7.
Revert exec command for 3.4.0 release
fix --encrypted-regex documentation
* first pass: add --exec flag

* fix spacing

* subcommand for exec as well as other bits n bobs

--placeholder to pass files to child procs (similar to `find(1)`'s -exec flag)
--background to background processes if you don't need them to be interactive

* break the 2 execs into 2 subcommands

* add a non-fifo option for people who like files instead

* added a setuid flag just in case

* oups, used the wrong functions

* Update README.rst

* typo

* first attempt at separating out windows/unix functionality

* add the caveat about windows

* windows: make sure --no-fifo is being used and warn when it's not

* stray fixes

* switch to logrus, break out the command builder, and remove /tmp/ default
Document how to operate on stdin
Add note about mandatory keys rotation when using --add-* options.
fix for #548 - handle .ini files in `decrypt.Data`, add other helper
* Sanitize hostname used for AWS STS role session name

From official docs for --role-session-name (https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html):
> The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-

This fixes #441, which occurs when the hostname includes spaces and parentheses

* pr notes: wrap STS role session name regex compilation error
FnTm and others added 28 commits March 10, 2022 15:46
Previous setup relied implicitly of the correct file to be there. Introduction of arm64 builds broke that implicit assumption.
Explicitly build linux amd64 binary
Remove duplicated stage from Dockerfile.alpine
…ipients

I encountered an issue when I tried so specify multiple age recipients
in the .sops.yaml config file of my repository.

I tried running `sops --age 'agePubKey1,agePubKey2' -e -i values.secret.yaml`
which produced an appropriate file with two entries in the `/sops/age/-`
part of the encrypted yaml file.

However, I then continued to set multiple recipients in my .sops.yaml
file to simplify handling:

```yaml
creation_rules:
  - encrypted_regex: '^(data|stringData|spec)$'
    age: 'agePubKey1,agePubKey2'
```

However, this resulted in encryption only being done for the first
specified agePubKey, not the second or third one.

After digging a bit trough the code, I think this should fix it.

I verified the fix locally on my machine and got it working. Also adding
some unit tests and extending the repository examples so they can be
decrypted using the age keys provided in `age/keys.txt`

Signed-off-by: Cedric Kienzler <[email protected]>
In [this](#966 (comment)) comment
it was proposed to make `masterKeyFromRecipient` private to avoid
reintroducing this bug in the future.
Since I agree with the Idea, this change will make the mehtod private
and update all unit-tests to use the `MasterKeysFromRecipients` method
instead.

Signed-off-by: Cedric Kienzler <[email protected]>
Adding tests to verify we do not break the usage of a single AGE key

Signed-off-by: Cedric Kienzler <[email protected]>
[Fix] sops multi recipient for age encryption
Use latest dockerd in CI to allow build alpine image (#870)
This allows for easier injection of your own (local) key service server
implementation, in situations where e.g. you do not want to rely on
environment variables or other runtime defaults.

It is not of impact to end-users, but improves the experience of
developers making use of SOPS as an SDK to e.g. provide decryption
services to users. As they will now in many cases end up copying this
bit of code to make this precise change.

Signed-off-by: Hidde Beydals <[email protected]>
Limit role session name length to 64 characters.
keyservice: accept KeyServiceServer in LocalClient
Version past CVE-2022-27191.

Signed-off-by: Hidde Beydals <[email protected]>
Latest API clients are (most) often greatest.

Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
As `golang.org/x/crypto/openpgp` has been deprecated (see
golang/go#44226 for details).

Signed-off-by: Hidde Beydals <[email protected]>
Support for GCP Service Account as JSON or Path in Default Application Credentials
@hiddeco hiddeco deleted the branch better:master July 6, 2023 20:59
@hiddeco hiddeco deleted the master branch July 6, 2023 20:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.