Merge pull request #726 from bkreitch/try-offline-methods-first

Sort SOPS masterkeys so offline decrypt methods are tried first

Author: stefanprodan

controllers/kustomization_decryptor.go

@@ -25,6 +25,7 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
+	"sort"
 	"strings"
 	"sync"
 	"time"
@@ -280,6 +281,13 @@ func (d *KustomizeDecryptor) SopsDecryptWithFormat(data []byte, inputFormat, out
 		return nil, sopsUserErr(fmt.Sprintf("failed to load encrypted %s data", sopsFormatToString[inputFormat]), err)
 	}
 
+	for _, group := range tree.Metadata.KeyGroups {
+		// Sort MasterKeys in the group so offline ones are tried first
+		sort.SliceStable(group, func(i, j int) bool {
+			return intkeyservice.IsOfflineMethod(group[i]) && !intkeyservice.IsOfflineMethod(group[j])
+		})
+	}
+
 	metadataKey, err := tree.Metadata.GetDataKeyWithKeyServices(d.keyServiceServer())
 	if err != nil {
 		return nil, sopsUserErr("cannot get sops data key", err)

internal/sops/keyservice/keyservice.go

@@ -0,0 +1,23 @@
+// Copyright (C) 2022 The Flux authors
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package keyservice
+
+import (
+	"go.mozilla.org/sops/v3/age"
+	"go.mozilla.org/sops/v3/keys"
+	"go.mozilla.org/sops/v3/pgp"
+)
+
+// IsOfflineMethod returns true for offline decrypt methods or false otherwise
+func IsOfflineMethod(mk keys.MasterKey) bool {
+	switch mk.(type) {
+	case *pgp.MasterKey, *age.MasterKey:
+		return true
+	default:
+		return false
+	}
+}