Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add age plugin support #1641

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

brianmcgee
Copy link

Another attempt at #1465 without bringing in so much code from age.

Instead, I created FiloSottile/age#591 upstream to expose PluginTerminalUI.

TODO

@felixfontein felixfontein marked this pull request as draft October 2, 2024 17:16
@felixfontein
Copy link
Contributor

Thank you very much for this! I've marked it as a draft (we can put it back to ready once the upstream change is merged).

@felixfontein felixfontein added this to the 3.10.0 milestone Oct 2, 2024
@Mic92 Mic92 mentioned this pull request Oct 3, 2024
go.mod Outdated
@@ -134,3 +134,5 @@ require (
google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
)

replace filippo.io/age => github.com/brianmcgee/age v0.0.0-20241002093043-152b6edfe56a
Copy link

@loa loa Oct 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this slipped in (or required to get the tests to pass), thanks for pushing this forward @brianmcgee !

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's what the todo is about above. Once upstream merges, I can remove that.

age/keysource.go Outdated Show resolved Hide resolved
@Ma27
Copy link

Ma27 commented Nov 20, 2024

Using this, works fine for sops -d. However if I specify public keys for creation_rules in a .sops.yaml, sops will break when editing these files since parseRecipients doesn't know what to do with age-plugin-yubikey pubkeys.

I fixed this with the following patch on top:

From 64e77bd60f8ebc8a0a5c7f8602a6f5855c892fd3 Mon Sep 17 00:00:00 2001
From: Maximilian Bosch <[email protected]>
Date: Wed, 20 Nov 2024 22:44:49 +0100
Subject: [PATCH] age/keysource: parse recipients using plugin system

Otherwise I get

    failed to parse input as Bech32-encoded age public key: malformed recipient "age1yubikey1...": invalid type "age1yubikey"

for `sops secrets/.../secrets.sops.yaml` in a directory with a
`.sops.yaml` that has creation rules with age1yubikey1* keys in its
creation rules.
---
 age/keysource.go | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/age/keysource.go b/age/keysource.go
index f04e4aff8..a9051c926 100644
--- a/age/keysource.go
+++ b/age/keysource.go
@@ -304,12 +304,21 @@ func (key *MasterKey) loadIdentities() (ParsedIdentities, error) {
 
 // parseRecipient attempts to parse a string containing an encoded age public
 // key.
-func parseRecipient(recipient string) (*age.X25519Recipient, error) {
-	parsedRecipient, err := age.ParseX25519Recipient(recipient)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse input as Bech32-encoded age public key: %w", err)
+func parseRecipient(recipient string) (age.Recipient, error) {
+	switch {
+	case strings.HasPrefix(recipient, "age1") && strings.Count(recipient, "1") > 1:
+		parsedRecipient, err := plugin.NewRecipient(recipient, tui.PluginTerminalUI)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse input as age key from age plugin: %w", err)
+		}
+		return parsedRecipient, nil
+	default:
+		parsedRecipient, err := age.ParseX25519Recipient(recipient)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse input as Bech32-encoded age public key: %w", err)
+		}
+		return parsedRecipient, nil
 	}
-	return parsedRecipient, nil
 }
 
 // parseIdentities attempts to parse the string set of encoded age identities.
-- 
2.47.0

Feel free to pick this to your branch @brianmcgee :)

@brianmcgee brianmcgee force-pushed the feat/age-plugins branch 3 times, most recently from 81f1b4a to 0607eae Compare November 21, 2024 09:03
@brianmcgee
Copy link
Author

@Ma27 applied the patch, thanks 👍

@visualphoenix
Copy link

+1 would be great to have this in sops

Signed-off-by: Brian McGee <[email protected]>
Co-authored-by: Maximilian Bosch <[email protected]>
Signed-off-by: Brian McGee <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants