You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
// We open the file *after* the operations on the tree have been
644
+
// executed to avoid truncating it when there's errors
645
+
ifc.Bool("in-place") {
646
+
file, err:=os.Create(fileName)
647
+
iferr!=nil {
648
+
returncommon.NewExitError(fmt.Sprintf("Could not open in-place file for writing: %s", err), codes.CouldNotWriteOutputFile)
649
+
}
650
+
deferfile.Close()
651
+
_, err=file.Write(output)
652
+
iferr!=nil {
653
+
returntoExitError(err)
654
+
}
655
+
log.Info("File written successfully")
656
+
returnnil
657
+
}
658
+
659
+
outputFile:=os.Stdout
660
+
ifc.String("output") !="" {
661
+
file, err:=os.Create(c.String("output"))
662
+
iferr!=nil {
663
+
returncommon.NewExitError(fmt.Sprintf("Could not open output file for writing: %s", err), codes.CouldNotWriteOutputFile)
664
+
}
665
+
deferfile.Close()
666
+
outputFile=file
667
+
}
668
+
_, err=outputFile.Write(output)
669
+
returntoExitError(err)
670
+
},
671
+
},
672
+
{
673
+
Name: "encrypt",
674
+
Usage: "encrypt a file, and output the results to stdout",
675
+
ArgsUsage: `file`,
676
+
Flags: append([]cli.Flag{
677
+
cli.BoolFlag{
678
+
Name: "in-place, i",
679
+
Usage: "write output back to the same file instead of stdout",
680
+
},
681
+
cli.StringFlag{
682
+
Name: "output",
683
+
Usage: "Save the output after decryption to the file specified",
684
+
},
685
+
cli.StringFlag{
686
+
Name: "kms, k",
687
+
Usage: "comma separated list of KMS ARNs",
688
+
EnvVar: "SOPS_KMS_ARN",
689
+
},
690
+
cli.StringFlag{
691
+
Name: "aws-profile",
692
+
Usage: "The AWS profile to use for requests to AWS",
693
+
},
694
+
cli.StringFlag{
695
+
Name: "gcp-kms",
696
+
Usage: "comma separated list of GCP KMS resource IDs",
697
+
EnvVar: "SOPS_GCP_KMS_IDS",
698
+
},
699
+
cli.StringFlag{
700
+
Name: "azure-kv",
701
+
Usage: "comma separated list of Azure Key Vault URLs",
702
+
EnvVar: "SOPS_AZURE_KEYVAULT_URLS",
703
+
},
704
+
cli.StringFlag{
705
+
Name: "hc-vault-transit",
706
+
Usage: "comma separated list of vault's key URI (e.g. 'https://vault.example.org:8200/v1/transit/keys/dev')",
707
+
EnvVar: "SOPS_VAULT_URIS",
708
+
},
709
+
cli.StringFlag{
710
+
Name: "pgp, p",
711
+
Usage: "comma separated list of PGP fingerprints",
712
+
EnvVar: "SOPS_PGP_FP",
713
+
},
714
+
cli.StringFlag{
715
+
Name: "age, a",
716
+
Usage: "comma separated list of age recipients",
717
+
EnvVar: "SOPS_AGE_RECIPIENTS",
718
+
},
719
+
cli.StringFlag{
720
+
Name: "input-type",
721
+
Usage: "currently json, yaml, dotenv and binary are supported. If not set, sops will use the file's extension to determine the type",
722
+
},
723
+
cli.StringFlag{
724
+
Name: "output-type",
725
+
Usage: "currently json, yaml, dotenv and binary are supported. If not set, sops will use the input file's extension to determine the output format",
726
+
},
727
+
cli.StringFlag{
728
+
Name: "unencrypted-suffix",
729
+
Usage: "override the unencrypted key suffix.",
730
+
},
731
+
cli.StringFlag{
732
+
Name: "encrypted-suffix",
733
+
Usage: "override the encrypted key suffix. When empty, all keys will be encrypted, unless otherwise marked with unencrypted-suffix.",
734
+
},
735
+
cli.StringFlag{
736
+
Name: "unencrypted-regex",
737
+
Usage: "set the unencrypted key regex. When specified, only keys matching the regex will be left unencrypted.",
738
+
},
739
+
cli.StringFlag{
740
+
Name: "encrypted-regex",
741
+
Usage: "set the encrypted key regex. When specified, only keys matching the regex will be encrypted.",
742
+
},
743
+
cli.StringFlag{
744
+
Name: "encryption-context",
745
+
Usage: "comma separated list of KMS encryption context key:value pairs",
746
+
},
747
+
cli.IntFlag{
748
+
Name: "shamir-secret-sharing-threshold",
749
+
Usage: "the number of master keys required to retrieve the data key with shamir",
750
+
},
751
+
}, keyserviceFlags...),
752
+
Action: func(c*cli.Context) error {
753
+
ifc.Bool("verbose") {
754
+
logging.SetLevel(logrus.DebugLevel)
755
+
}
756
+
ifc.NArg() <1 {
757
+
returncommon.NewExitError("Error: no file specified", codes.NoFileSpecified)
758
+
}
759
+
warnMoreThanOnePositionalArgument(c)
760
+
ifc.Bool("in-place") &&c.String("output") !="" {
761
+
returncommon.NewExitError("Error: cannot operate on both --output and --in-place", codes.ErrorConflictingParameters)
762
+
}
763
+
fileName, err:=filepath.Abs(c.Args()[0])
764
+
iferr!=nil {
765
+
returntoExitError(err)
766
+
}
767
+
if_, err:=os.Stat(fileName); os.IsNotExist(err) {
768
+
returncommon.NewExitError("Error: cannot operate on non-existent file", codes.NoFileSpecified)
769
+
}
770
+
771
+
unencryptedSuffix:=c.String("unencrypted-suffix")
772
+
encryptedSuffix:=c.String("encrypted-suffix")
773
+
encryptedRegex:=c.String("encrypted-regex")
774
+
unencryptedRegex:=c.String("unencrypted-regex")
775
+
conf, err:=loadConfig(c, fileName, nil)
776
+
iferr!=nil {
777
+
returntoExitError(err)
778
+
}
779
+
ifconf!=nil {
780
+
// command line options have precedence
781
+
ifunencryptedSuffix=="" {
782
+
unencryptedSuffix=conf.UnencryptedSuffix
783
+
}
784
+
ifencryptedSuffix=="" {
785
+
encryptedSuffix=conf.EncryptedSuffix
786
+
}
787
+
ifencryptedRegex=="" {
788
+
encryptedRegex=conf.EncryptedRegex
789
+
}
790
+
ifunencryptedRegex=="" {
791
+
unencryptedRegex=conf.UnencryptedRegex
792
+
}
793
+
}
794
+
795
+
cryptRuleCount:=0
796
+
ifunencryptedSuffix!="" {
797
+
cryptRuleCount++
798
+
}
799
+
ifencryptedSuffix!="" {
800
+
cryptRuleCount++
801
+
}
802
+
ifencryptedRegex!="" {
803
+
cryptRuleCount++
804
+
}
805
+
ifunencryptedRegex!="" {
806
+
cryptRuleCount++
807
+
}
808
+
809
+
ifcryptRuleCount>1 {
810
+
returncommon.NewExitError("Error: cannot use more than one of encrypted_suffix, unencrypted_suffix, encrypted_regex or unencrypted_regex in the same file", codes.ErrorConflictingParameters)
811
+
}
812
+
813
+
// only supply the default UnencryptedSuffix when EncryptedSuffix and EncryptedRegex are not provided
814
+
ifcryptRuleCount==0 {
815
+
unencryptedSuffix=sops.DefaultUnencryptedSuffix
816
+
}
817
+
818
+
inputStore:=inputStore(c, fileName)
819
+
outputStore:=outputStore(c, fileName)
820
+
svcs:=keyservices(c)
821
+
822
+
groups, err:=keyGroups(c, fileName)
823
+
iferr!=nil {
824
+
returntoExitError(err)
825
+
}
826
+
threshold, err:=shamirThreshold(c, fileName)
827
+
iferr!=nil {
828
+
returntoExitError(err)
829
+
}
830
+
output, err:=encrypt(encryptOpts{
831
+
OutputStore: outputStore,
832
+
InputStore: inputStore,
833
+
InputPath: fileName,
834
+
Cipher: aes.NewCipher(),
835
+
UnencryptedSuffix: unencryptedSuffix,
836
+
EncryptedSuffix: encryptedSuffix,
837
+
UnencryptedRegex: unencryptedRegex,
838
+
EncryptedRegex: encryptedRegex,
839
+
KeyServices: svcs,
840
+
KeyGroups: groups,
841
+
GroupThreshold: threshold,
842
+
})
843
+
iferr!=nil {
844
+
returntoExitError(err)
845
+
}
846
+
847
+
// We open the file *after* the operations on the tree have been
848
+
// executed to avoid truncating it when there's errors
849
+
ifc.Bool("in-place") {
850
+
file, err:=os.Create(fileName)
851
+
iferr!=nil {
852
+
returncommon.NewExitError(fmt.Sprintf("Could not open in-place file for writing: %s", err), codes.CouldNotWriteOutputFile)
853
+
}
854
+
deferfile.Close()
855
+
_, err=file.Write(output)
856
+
iferr!=nil {
857
+
returntoExitError(err)
858
+
}
859
+
log.Info("File written successfully")
860
+
returnnil
861
+
}
862
+
863
+
outputFile:=os.Stdout
864
+
ifc.String("output") !="" {
865
+
file, err:=os.Create(c.String("output"))
866
+
iferr!=nil {
867
+
returncommon.NewExitError(fmt.Sprintf("Could not open output file for writing: %s", err), codes.CouldNotWriteOutputFile)
0 commit comments