Skip to content

Commit

Permalink
feat: add age plugin support
Browse files Browse the repository at this point in the history
Signed-off-by: Brian McGee <[email protected]>
Co-authored-by: Maximilian Bosch <[email protected]>
Signed-off-by: Brian McGee <[email protected]>
  • Loading branch information
brianmcgee and Ma27 committed Dec 24, 2024
1 parent 8019097 commit eca80c2
Show file tree
Hide file tree
Showing 3 changed files with 70 additions and 10 deletions.
74 changes: 66 additions & 8 deletions age/keysource.go
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
package age

import (
"bufio"
"bytes"
"errors"
"filippo.io/age/plugin"
"filippo.io/age/tui"
"fmt"
"io"
"os"
Expand Down Expand Up @@ -60,7 +63,7 @@ type MasterKey struct {
parsedIdentities []age.Identity
// parsedRecipient contains a parsed age public key.
// It is used to lazy-load the Recipient at-most once.
parsedRecipient *age.X25519Recipient
parsedRecipient age.Recipient
}

// MasterKeysFromRecipients takes a comma-separated list of Bech32-encoded
Expand Down Expand Up @@ -126,6 +129,7 @@ func (i ParsedIdentities) ApplyToMasterKey(key *MasterKey) {

// Encrypt takes a SOPS data key, encrypts it with the Recipient, and stores
// the result in the EncryptedKey field.

func (key *MasterKey) Encrypt(dataKey []byte) error {
if key.parsedRecipient == nil {
parsedRecipient, err := parseRecipient(key.Recipient)
Expand Down Expand Up @@ -284,7 +288,12 @@ func (key *MasterKey) loadIdentities() (ParsedIdentities, error) {

var identities ParsedIdentities
for n, r := range readers {
ids, err := age.ParseIdentities(r)
buf := new(strings.Builder)
_, err := io.Copy(buf, r)
if err != nil {
return nil, fmt.Errorf("failed to read '%s' age identities: %w", n, err)
}
ids, err := parseIdentities(buf.String())
if err != nil {
return nil, fmt.Errorf("failed to parse '%s' age identities: %w", n, err)
}
Expand All @@ -295,12 +304,21 @@ func (key *MasterKey) loadIdentities() (ParsedIdentities, error) {

// parseRecipient attempts to parse a string containing an encoded age public
// key.
func parseRecipient(recipient string) (*age.X25519Recipient, error) {
parsedRecipient, err := age.ParseX25519Recipient(recipient)
if err != nil {
return nil, fmt.Errorf("failed to parse input as Bech32-encoded age public key: %w", err)
func parseRecipient(recipient string) (age.Recipient, error) {
switch {
case strings.HasPrefix(recipient, "age1") && strings.Count(recipient, "1") > 1:
parsedRecipient, err := plugin.NewRecipient(recipient, tui.PluginTerminalUI)
if err != nil {
return nil, fmt.Errorf("failed to parse input as age key from age plugin: %w", err)
}
return parsedRecipient, nil
default:
parsedRecipient, err := age.ParseX25519Recipient(recipient)
if err != nil {
return nil, fmt.Errorf("failed to parse input as Bech32-encoded age public key: %w", err)
}
return parsedRecipient, nil
}
return parsedRecipient, nil
}

// parseIdentities attempts to parse the string set of encoded age identities.
Expand All @@ -309,11 +327,51 @@ func parseRecipient(recipient string) (*age.X25519Recipient, error) {
func parseIdentities(identity ...string) (ParsedIdentities, error) {
var identities []age.Identity
for _, i := range identity {
parsed, err := age.ParseIdentities(strings.NewReader(i))
parsed, err := _parseIdentities(strings.NewReader(i))
if err != nil {
return nil, err
}
identities = append(identities, parsed...)
}
return identities, nil
}

func parseIdentity(s string) (age.Identity, error) {
switch {
case strings.HasPrefix(s, "AGE-PLUGIN-"):
return plugin.NewIdentity(s, tui.PluginTerminalUI)
case strings.HasPrefix(s, "AGE-SECRET-KEY-1"):
return age.ParseX25519Identity(s)
default:
return nil, fmt.Errorf("unknown identity type")
}
}

// parseIdentities is like age.ParseIdentities, but supports plugin identities.
func _parseIdentities(f io.Reader) (ParsedIdentities, error) {
const privateKeySizeLimit = 1 << 24 // 16 MiB
var ids []age.Identity
scanner := bufio.NewScanner(io.LimitReader(f, privateKeySizeLimit))
var n int
for scanner.Scan() {
n++
line := scanner.Text()
if strings.HasPrefix(line, "#") || line == "" {
continue
}

i, err := parseIdentity(line)
if err != nil {
return nil, fmt.Errorf("error at line %d: %v", n, err)
}
ids = append(ids, i)

}
if err := scanner.Err(); err != nil {
return nil, fmt.Errorf("failed to read secret keys file: %v", err)
}
if len(ids) == 0 {
return nil, fmt.Errorf("no secret keys found")
}
return ids, nil
}
2 changes: 2 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -147,3 +147,5 @@ require (
google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
)

replace filippo.io/age => github.com/brianmcgee/age v0.0.0-20241218154423-266c0940916d
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,6 @@ cloud.google.com/go/trace v1.11.2 h1:4ZmaBdL8Ng/ajrgKqY5jfvzqMXbrDcBsUGXOT9aqTtI
cloud.google.com/go/trace v1.11.2/go.mod h1:bn7OwXd4pd5rFuAnTrzBuoZ4ax2XQeG3qNgYmfCy0Io=
dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
filippo.io/age v1.2.1 h1:X0TZjehAZylOIj4DubWYU1vWQxv9bJpo+Uu2/LGhi1o=
filippo.io/age v1.2.1/go.mod h1:JL9ew2lTN+Pyft4RiNGguFfOpewKwSHm5ayKD/A4004=
filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 h1:JZg6HRh6W6U4OLl6lk7BZ7BLisIzM9dG1R50zUk9C/M=
Expand Down Expand Up @@ -107,6 +105,8 @@ github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro=
github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
github.com/brianmcgee/age v0.0.0-20241218154423-266c0940916d h1:6z3SW9YQdT4SVX/qT43NxZvOxek9ZgYbY4R7ACzBPvE=
github.com/brianmcgee/age v0.0.0-20241218154423-266c0940916d/go.mod h1:JL9ew2lTN+Pyft4RiNGguFfOpewKwSHm5ayKD/A4004=
github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
Expand Down

0 comments on commit eca80c2

Please sign in to comment.